PayPal scammers are using an old Docusign trick to enhance the trustworthiness of their phishing emails.
Digging deeper into the scam, Malwarebytes Labs finds that the Docusign Application Programming Interface (API) allows 'customers' to send emails that come from genuine Docusign accounts, and they can use templates to impersonate reputable companies.
To pull this off, the phishers set up a Docusign account and then use the templates provided by Docusign to send out legitimate looking invoices from PayPal. Users may be informed of an 'unauthorised' transaction and are given a phone number to contact to safeguard the account and process a refund.
Because the emails come from Docusign they can bypass many security filters, although there are a number of red flags to give away the scammers, including the use of gmail addresses for the PayPal customer care team.
"Also, it seems weird that Docusign has been used to send a document that doesn’t require a signature," Malwarebytes points out.
Docusign says its team investigates and closes suspicious accounts within 24 hours of the activity being detected or reported. When suspicious accounts are reported, the vast majority of those accounts have already been detected by Docusign’s systems and are either under investigation or have already been closed. Once an account is closed, all envelopes sent from the account are no longer accessible by the recipient or sender.