Phishing Campaign Abuses DocuSign API to Send Fake Invoices
The healthcare and public health sector (HPH) has been warned about an ongoing widespread phishing campaign that abuses DocuSign e-signature software to impersonate well-known brands. The aim of the campaign is to trick individuals into enabling authorization of payments for fake invoices from their billing department
The campaign was identified in early December by researchers at Wallarm. The threat actor does not appear to be targeting any specific sector; however, the Health Sector Cybersecurity Coordination Center (HC3) has issued a sector alert as the threat activity has the potential to affect the HPH sector and the sector has been targeted in the past in similar fake invoice phishing campaigns.
According to the researchers, the threat actor uses the DocuSign Envelopes API to create and mass-distribute fake invoices that appear to have been sent by companies such as Norton and PayPal. The invoices are realistic and include accurate pricing information for the products. For instance, one invoice was generated for the all-in-one security suite, Norton LifeLock 360. The invoice was for $298 and included the $249.00 charge for the product for 2 users for 1 year, plus an additional $49.00 activation charge. Other emails intercepted by the researchers included direct wire instructions or purchase orders. The threat actor attempts to trick the recipient into e-signing the document and forwarding it to their billing department for payment.
Since the documents are sent through the genuine DocuSign platform, the emails appear legitimate and are unlikely to be blocked or flagged by email security solutions because they have been sent from a trusted service and do not include malicious links or attachments. Since the emails are likely to reach end users, it is important to raise awareness of the scam through security awareness training. Employees should be told to carefully examine any emails they receive and to be wary of any unusual invoice requests.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Checks should be conducted on the sender’s email address and any associated accounts for legitimacy, and employees should be vigilant against any anomalies in emails, for instance, the failure to use a capital letter for a last name. If the sender of the Docusign envelope is not recognized, or the email is suspicious, users should look for the unique security code at the bottom of the Docusign envelope notification email. If it is not present, do not click any links or open any attachments, and delete the email.
DocuSign phishing emails with a fake email address, old logo, and no security code. Source: DocuSign
Healthcare organizations should also consider implementing strict policies and procedures for approving purchases and financial transactions and if possible, those checks should involve multiple team members. If a suspicious email is received from DocuSign, the email should be forwarded to [email protected] and the email should be deleted.
