The DocuSign API phish has come to recent attention by the media but not a lot so it’s being included here for a signal boost. This is a type of invoice scam aimed at businesses.

When most information security people train users not to click on supposed DocuSign emails unless they can verify they came from DocuSign, this particular phish/scam uses DocuSign’s own internal API to inject a fake invoice or other document that of course comes from DocuSign itself. This is similar to fake invoice scams that use PayPal or another similar service to get you to call the scammer’s number (the Unpurchased Purchases Refund scam that I’ve covered before); however, this scam has a different aim.

What happens is that a scammer either signs on for a paid DocuSign account or compromises the account of someone with a paid DocuSign account. Scammers are cheap as hell, so usually it’s someone’s compromised account - wouldn’t want to spend money, after all! Then they send a fake invoice to someone at a company in hopes that the person signs it. After that, the scammer will demand payment based on the fact that someone authorized it.

In some ways, this is a modern version of the ancient Toner scam, but instead of sending shitty stuff, they don’t send anything at all. There are versions of the Toner scam that do the same thing.

How to protect yourself
Awareness is key. Don’t sign anything that you’re unsure about.

On top of that, businesses can protect themselves by having procedures in place. For example, my employer only buys from authorized vendors that they’ve had prior contact with. All purchases are in writing in a specific format, such as a purchase order. No negotiated purchase order, no payment. This way, even if your customer service head falls prey and does sign, you have a way to say “nope, that wasn’t authorized.”