Scammers are like cockroaches: no matter how many times you think you’ve squashed them, they find a way to scuttle back into your life. And lately, they’ve been dusting off an old trick to bypass your email security and steal your hard-earned cash. The latest scheme? A sneaky blend of PayPal phishing and a trusted platform you’ve probably used before: Docusign.
Yes, you read that right. Scammers are now using Docusign—a service designed to make your life easier—to make their phishing emails look legit. It’s like a wolf showing up at your door wearing a sheep’s sweater, complete with a monogram. But don’t worry, we’re here to help you spot the wool being pulled over your eyes.
Here’s the play-by-play: Scammers create a Docusign account and use its templates to send out fake PayPal invoices. Because the emails technically come from Docusign, they slide past most email security filters like a greased-up otter. Once you open the email, you’re greeted with a document that looks like it’s from PayPal, complete with logos and official-sounding language. But here’s the kicker: the email address is a dead giveaway.
As Pieter Arntz, a malware intelligence researcher at Malwarebytes, points out, these emails often come from a random Gmail address—not exactly the kind of thing you’d expect from a billion-dollar company like PayPal. And if you dig a little deeper, you’ll notice other red flags, like the “To” address not matching your email or even existing at all.
You might be thinking, “This sounds like something from 2010. Why is it still a thing?” Well, scammers are banking on two things: trust and distraction.
First, Docusign is a trusted platform. When you see an email from them, you’re less likely to question its legitimacy. Second, let’s face it—we’re all busy. Who has time to scrutinize every email? Scammers know this and use it to their advantage.
But here’s the good news: this scam is easy to spot if you know what to look for.
While this scam might feel like a throwback to simpler times, phishing as a whole is evolving. As Paul Walsh, CEO of MetaCert, points out, the old advice of “look for spelling mistakes” is outdated. Scammers are now crafting well-written, professional-looking messages that are harder to detect.
What’s more, phishing is no longer just an email problem. Scammers are increasingly using SMS, calls, and even social media to target victims. Walsh argues that traditional threat intelligence is no longer enough to combat these attacks, and new solutions—like URL authentication before delivery—are needed to stay ahead of the game.
PayPal isn’t sitting idly by. The company uses a combination of manual investigations and advanced fraud detection tools to protect users. They’ve also launched initiatives like the Smarter Than Scams campaign, with others, to raise awareness about common fraud trends.
But here’s the bottom line: no matter how many safeguards are in place, the best defense is you. Stay sharp, trust your gut, and remember: if something feels off, it probably is.
Scammers might be turning back the clock, but that doesn’t mean we have to fall for their tricks. By staying informed and following a few simple steps, you can outsmart even the craftiest of fraudsters. So the next time you get an email that smells fishy, don’t take the bait. Instead, be the one who reels in the scammer—by reporting it and moving on with your day, scam-free.
After all, the best way to beat a scammer is to make sure they’re the ones left feeling foolish. And honestly, there’s nothing more satisfying than that.