Did you know you can customize Google to filter out garbage? Take these steps for better search results, including adding Lifehacker as a preferred source for tech news.
If you receive an unsolicited email that appears to come from Docusign, don’t trust it without verifying its origin first. Scammers are once again impersonating the e-signature provider in a phishing campaign that leads recipients to believe there is a problem with their Apple Pay accounts.
Docusign is no stranger to scams: Threat actors often use the company’s trusted reputation to impersonate real people and organizations, sending links to (fake) invoices, refund notices, employment contracts, and even legal documents in hopes of collecting sensitive information.
How the Docusign Apple Pay scam works
The latest Docusign scam, identified by staff at both AppleInsider and CyberGuy, starts with an email that, at first glance, looks like a receipt for a subscription purchased through Apple Pay. There’s branding from Apple and Docusign as well as an order ID, and the message directs you to call the included Apple support line if you don’t recognize the charge.
The phone number obviously isn’t Apple’s—instead, you’ll reach the scammers, who will try to extract information like your Apple ID and bank account number, convince you to download remote access software, or demand payment to protect your account. Phishing emails also often include malicious links or attachments.
Docusign scam red flags
Like all scams, this one plays on emotions like fear and a sense of urgency to fix an apparent problem with your account. It also relies on user trust in the brands being impersonated so you’re more likely to engage.
There are a few other ways to identify this campaign as a fraud. For one, the message doesn’t originate from an official Apple or Docusign domain—those sent to AppleInsider came from a Gmail address. (Note that sender names may include lookalike characters that are harder to spot and can evade spam filters.) For another, major companies don’t use Docusign to send receipts or invoices. If you cross-check against your App Store or Wallet transactions, you won’t find this fake one listed.
In general, you shouldn’t engage with anything from Docusign that you weren’t aware of prior to receipt. And always go directly to a company’s website or app to log into your account or find contact information to verify any suspicious claims. You can report spoofed Docusign emails to spam[at]docusign[dot]com.
