Due to an investigation into potential phishing emails that some DSB partners received, we are sharing information on how best to protect your organizations from phishing attacks. 

With the number of phishing attacks growing every day, it’s important to be able to identify suspicious emails as trustworthy or fake as best as possible. Threat actors intentionally choose the most well-known and trusted brands as social engineering lures for phishing attempts and other cyberattacks. Unfortunately, these threat actors try to impersonate State Agencies using DocuSign for e-Signatures attempting to trick you into revealing your credentials and more.

Credential phishing is one of the most prevalent attack methods and typically come via malicious emails. Compromising the DocuSign account isn’t always the aim of the attack. Often, they want to gain access to email credentials, utilizing the username and password combination used on DocuSign. The tendency of most people to reuse usernames and passwords across websites, coupled with the trend of organizations using email addresses for user IDs, makes it easier for attackers to steal valuable information and exploit it. Below is an example of a DocuSign-themed phishing site. Before entering your DocuSign credentials, double check that you’re on the correct website: https://www.docusign.com or https://www.docusign.net (if there is an embedded link in a DocuSign email).

Based on DocuSign’s internal monitoring, they see numerous DocuSign-themed malicious email campaigns every month. The lure is presented in the form of email content, which may or may not include attachments. Email campaigns are dangerous, because they can lead to various attacks, such as fraud, backdoors, banking trojans, ransomware or a combination of these threats. If you have a DocuSign account, consider changing the current password being sure to use a combination of letters (mix of upper and lower case), numbers and symbols minimally 10 characters in length.

Generally, it’s best to be skeptical about strange emails. Here’s a quick checklist of some questions you can run through to evaluate if an email might be phishing:

• Are you expecting the email?
• Do you recognize the sender?
• Do the email signature and the sender name/email address match?
• Is the look or tone off from the norm?
• Are there spelling or grammar errors throughout?
• Is it more generic than it should be?
• Is it asking for you to provide your personal or login information?
• Are the links taking you to a valid and expected place (hover over them without clicking on your computer or long tap on your mobile device to see the link)?
• Are there strong emotions or an urgency communicated?
• Do you feel like it’s just weird?

A few simple techniques can help you spot the difference between a spoofed DocuSign email and the real thing:

• Hover over all embedded links: URLs to view or sign DocuSign documents contain “docusign.net” and always start with “https://” (graphic example below).
  • The link may also include a subdomain from one of DocuSign’s other servers like, “na2”, “na3”, “na4”, “au”, “ca”, “eu” or “demo” designations. Ex. https://dse_na3@docusign.net
• Access the document directly from https://docusign.com. Select Access Documents at the top of the web page and then enter the unique security code to continue.
  • If the email does not include a unique security code, that is an absolute sign of a fake email.
• Don’t open unknown or suspicious attachments, or click links—DocuSign emails will never ask you to open a PDF, office document or zip file.
• Contact DSB in a separate email, business@delaware.gov, or by phone, 302-739-4271, to verify the email’s authenticity, if you’re still suspicious.