Is that DocuSign email legit?

If you signed important paperwork electronically in the last few years, chances are you used DocuSign. Other products exist, but at this point DocuSign is so ubiquitous that it is in danger of becoming the Kleenex of electronic signature software (fun fact: there's a word for this - genericide).

SEM and our advisors have experienced an absolute barrage of fake DocuSign emails in the last few years, and we know other companies across many industries have experienced the same thing. It's not hard to understand why - DocuSign is almost a household name, and imagine what a cyber criminal could do with access to your DocuSign account!

Over the last few years we have learned a few differences between real and fake DocuSign emails. Let's go through some of them:

The email

Here's an example of a fake DocuSign email our CIO, Jeff received last April. This is a phishing email. It wants to steal your DocuSign credentials and give someone else access to your DocuSign account. If you were to click the "Review Document" button you would be taken to a fake DocuSign login page and prompted to enter your DocuSign credentials.

Firstly: all the normal wisdom about phishing emails applies.

Were you expecting to get this email? If you are required to sign something, usually you know about it in advance (e.g. after you had a conversation with your financial advisor, mortgage lender, business parter, etc).

Does it feel "off"?

Can you confirm its legitimacy using a communication channel other than email? For example, if the request was supposedly sent by your advisor, you could call them and verify that this request is legitimate.

Email Address

The single biggest giveaway for a fake DocuSign email is the email address. Legitimate DocuSign emails only come from one of two places:

  1. The official DocuSign email address, whose domain is docusign.net. This is by far the most common.
  2. A custom email address configured by the company who is sending the DocuSign envelope. In this case, the domain name should match the company that is sending it (this is not a common configuration).

If a DocuSign email comes from a domain is not 1. docusign.net or 2. affiliated with the person who is sending it, you should be suspicious. Notice in the example email above, the domain of the from address is a different email address. Additionally, there is no mention in the body or subject of the email about who is sending this DocuSign envelope.

"You don't often get email from..."

Your email service might have the ability to configure a banner which warns you when you receive email from a sender you don't often receive email from. If you haven't configured this, I strongly recommend that you do. Notice the email below is using some trickery to try and make it look like the email actually came from DocuSign, but the banner shows the real sender address.

In Microsoft 365, this feature is called First contact safety tip. Send that link to whoever takes care of your email and they might be able to help you get it set up.

Verifying links, in general, is difficult. It is often hard to tell the difference between a malicious link and one that is legitimate but just really long and complicated.

However, with DocuSign in particular, the link will always go to a URL whose domain is docusign.net. Notice that this isn't the case here:

Real email

Compare all this to a legitimate DocuSign email (heavily redacted, sorry. We Take Privacy And Security Seriously™).

Remember, if you are at all unsure, you can call the person who supposedly sent the DocuSign request and ask if it's legit.

Author image
Virginia Website
Dustin has been turning things off and back on again for SEM since 2018. He enjoys Christian apologetics, playing guitar, learning Japanese, and communicating in various dialects of toddler.