Malwarebytes Labs has uncovered a phishing scam exploiting the Docusign API, which allows users to send emails from legitimate Docusign accounts.

Scammers set up a Docusign account and use its templates to impersonate reputable companies, such as PayPal, sending fraudulent invoices that alert recipients to an "unauthorized" transaction. These emails include a phone number for users to call to resolve the issue, tricking them into engaging with the scammers. Because the emails originate from Docusign, they can bypass many security filters, although red flags—such as the use of Gmail addresses for PayPal customer support—can help identify the scam.

Docusign acknowledges the issue and states that its security team actively investigates and shuts down suspicious accounts within 24 hours of detection or reporting. In most cases, fraudulent accounts are already flagged by Docusign’s systems before being reported. Once an account is terminated, all documents sent from it become inaccessible to both recipients and senders, helping to mitigate further harm. Malwarebytes also highlights an unusual aspect of the scam: the use of Docusign for documents that do not require a signature, which may serve as an additional warning sign for recipients.