PayPal Phishing Email Scam Campaign Exploits DocuSign API to Bypass Security Measures

• Fake emails were recently seen leveraging the DocuSign API in a phishing campaign.
• Scammers impersonated PayPal via DocuSign’s readily available templates, adding to their credibility.
• Yet, the emails came from non-business Gmail addresses and sent DocuSign files that did not require signing.

Cybercriminals have found a new way to exploit trusted platforms, with a recent phishing scam using DocuSign’s API to impersonate PayPal. The fraud involves creating fake invoice emails that appear legitimate to unsuspecting recipients.

The Docusign Application Programming Interface (API) allows sending emails from genuine Docusign accounts and the use of templates from reputable companies. Their legitimacy bypasses many security filters, enabling scammers to carry out malicious email activities.

Security researchers highlighted a surge in cases where scammers set up a DocuSign account and use official-looking templates to send invoices falsely claiming to be from PayPal, which sidestep traditional security measures due to their authentic appearance. 

An example email references an unauthorized "transaction to Coinbase for $755.38," includes a fake transaction ID, and urges recipients to contact a fraudulent “Fraud Prevention Team” at a provided phone number.

Key indicators of the fraudulent emails include seeing a non-business Gmail address used as the sender and the absence of a Docusign signature requirement. Moreover, the "To" address can have incorrect recipient details.

People can verify potential scams by visiting Docusign’s official website instead of following links in suspicious emails. 

Using the "Access Documents" option to input the security code can help check whether you’re dealing with a scam since if an error message appears, it confirms the fraudulent nature of the email.

In January, scammers sent nearly perfect-looking email addresses using resources that are open to all, sending malicious emails that asked for PayPal payments using a sender ID that appeared legitimate.