Skip to content

DocuSign phishing surge, targeting regulated businesses

  • by
  • 3 min read

There was a staggering 98% increase in DocuSign phishing URLs between November 8 and 14, signalling a rapid threat against businesses in industries heavily regulated by state and municipal authorities in the United States.

These phishing schemes exploit businesses’ trusted relationships with regulatory bodies by impersonating prominent state and municipal agencies. These attacks have mimicked entities such as the Maryland Department of Transportation, the North Carolina Licensing Board for General Contractors, and city governments from Milwaukee to Houston.

Typically, the scams involve using legitimate DocuSign accounts to create seemingly authentic templates. These fraudulent requests are carefully tailored to align with industry-specific documentation and communication styles, enhancing their believability.

The City of Milwaukee DocuSign phishing page. | Source: Slashnext

In one example, researchers discovered a Milwaukee contractor received a DocuSign request purporting to be from the City’s Department of Public Works. The document, allegedly related to a $2.8 million renovation project, demanded an immediate signature on a change order for additional costs of $175,000.

Trusting its legitimacy, the contractor approved the document unwittingly, setting the stage for financial loss.

Another case targeted a commercial contractor in North California. The phishing email claimed to be from the NC Licensing Board and warned of an impending work stoppage on a $12 million hospital project due to compliance issues.

An ’emergency bond’ payment of $85,000 was requested to resolve the issue. The sense of urgency and potential project disruption made the contractor vulnerable to this scam.

North Carolina DocuSign phishing page. | Source: Slashnext

The scammers used real DocuSign accounts and APIs, bypassing traditional email security measures. Moreover, the language, pricing, and document formats are tailored to resonate with industry professionals. Threat actors often launch attacks during renewal or compliance periods to make scams successful.

Researchers believe that these attacks create operational chaos beyond immediate monetary theft. Fraudulent documents can trigger unauthorised payments and sow confusion regarding actual compliance or licensing statuses. The disruption can hinder project timelines, jeopardise bids on future contracts, and erode trust with regulatory authorities.

Cyber security experts urged businesses to treat unexpected or urgent licensing requests with caution. They also cautioned against proceeding with payment instructions that deviate from standard procedures or documentation requests outside typical renewal schedules.

In the News: Roblox rolls out four safety updates for young users

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>