A sophisticated wave of phishing attacks has emerged, exploiting the trusted relationships between businesses and government agencies. Using spoofed DocuSign notifications, cybercriminals are targeting contractors, vendors, and businesses that interact regularly with state and municipal authorities. Threat researchers at SlashNext report a staggering 98% increase in DocuSign phishing URLs since early November, with hundreds of new cases detected daily.
These attacks stand out for their precision and adaptability, with attackers impersonating agencies like the Maryland Department of Transportation, North Carolina’s Licensing Board for General Contractors, and the cities of Milwaukee, Charlotte, and Houston.
Anatomy of the Attack
The phishing attempts use legitimate DocuSign infrastructure to create convincing notifications that bypass traditional email security filters. Attackers leverage industry-specific terminology, realistic project details, and time-sensitive requests to deceive recipients.
For example, a general contractor in Milwaukee might receive a DocuSign notification from the City’s Department of Public Works regarding a $2.8 million renovation project. The document requests an immediate signature on a $175,000 change order. Trusting the familiar format and terminology, the contractor signs without verifying, unwittingly authorizing a fraudulent transaction.
Similarly, a contractor in North Carolina might receive a compliance notice from the state’s Licensing Board, claiming their $12 million hospital project faces shutdown due to regulatory issues. The notice demands an $85,000 emergency bond to prevent work stoppage, exploiting the urgency to prompt action without verification.
Why These Attacks Work
These phishing schemes are effective because they:
Appear Authentic: Attackers use legitimate DocuSign accounts and APIs to mimic official requests.
Exploit Predictability: Target businesses during licensing renewal or project management cycles.
Bypass Security: Emails from real DocuSign accounts evade standard email filters.
Incorporate Familiarity: Include accurate industry-specific terms, pricing, and project details.
Financial and Operational Risks
These attacks carry dual risks. Victims face immediate financial losses from fraudulent payments and potential operational disruptions due to confusion over legitimate licensing or project requirements. This uncertainty can stall bidding processes or jeopardize ongoing contracts.
How to Spot and Avoid Phishing Attempts
To protect against these attacks, businesses should watch for specific warning signs, including:
Unusual timing for license renewals or contract amendments.
Payment instructions that deviate from standard protocols.
Requests for immediate action that bypass regular communication channels.
Licensing or compliance demands outside normal renewal cycles.
The evolving nature of these attacks underscores the need for robust verification processes and cybersecurity awareness. Businesses should train employees to recognize phishing tactics and implement multi-factor authentication to secure critical accounts.
By understanding the tactics used in these state-focused DocuSign phishing scams, businesses can better protect themselves against financial losses and operational disruptions during the busy holiday and licensing season.