Attackers do abuse legitimate services like DocuSign to send phish, commit spoofing, fraud or steal personal data.
Take note that the sender address is legitimate, dse_NA4@docusign.net. The body contains a 32 character security code in it, usual for a DocuSign email. If you scroll over the link, it also appears to be on DocuSign’s servers, however this could contain a redirect, sending you to a malicious website or download malware.
Red flags:
- The sender name and email address contained in the body do not match. They are also very generic ie. james wood and mark harry.
- The link contained in the email “_wildcard_.usentden***” is suspicous.
- Grammatical error, the use of a capital letter in the middle of the sentence where it says, “These document(s) are related to the Completed transaction”.
- If you do not recognize the sender, this should raise a red flag.
Reach out to the helpdesk if you have clicked on any links or provided any personal information to fake DocuSign emails like this.
Subject: Approved: See Completed EFT Payment
From: james wood via Docusignjames wood sent you a document to review and sign.
Review Document [by clicking on the review document button]james wood
markharry[redacted]@outlook.comThese documents are related to the Completed transaction.
You can download these documents by clicking the links below.
_wildcard_.usentden[redacted]