Fake DocuSign Email Scam: How to Verify Before You Click

You're waiting on paperwork. An offer letter, a lease agreement, a contractor quote, something your accountant said she'd send over. An email shows up — DocuSign logo at the top, a yellow "Review Document" button, subject line reading "Please DocuSign: [document you've been expecting]." You click it without much thought, because you've been waiting for this.

That mental state — "I'm expecting something to sign" — is exactly what the scam is built around. Security researchers at Check Point tracked a campaign of over 40,000 phishing emails impersonating DocuSign and e-signing services, sent to more than 6,000 organizations over a two-week period in June 2026. The emails had no typos. They used real service logos, authentic formatting, and routing through legitimate-looking redirect services designed to pass link scanners cleanly. By the time your brain had a chance to get suspicious, the page had already asked for your login.

How the fake DocuSign email scam works

The basic version is straightforward: an email arrives styled as a DocuSign notification. The sender name shows something like "DocuSign via eSign" or a contact name you half-recognize. The button says "Review Document." Clicking it takes you to a page that looks like a Google, Microsoft, or DocuSign login. You enter your credentials. The "document" either times out, shows a generic error, or presents something meaningless. Meanwhile, your login is already in someone else's hands.

What they do with it depends on what they were after. A compromised Google account means your email, contacts, and everything connected to that login. A Microsoft account means your files, Teams conversations, and any app that trusted that login. And once an account is taken over, the next step is usually using it to run the same scam on everyone in your contact list — same technique, different sender name. For what this looks like from the receiving end, see fake invitation emails from hacked accounts.

Some variants skip credential theft entirely and go straight for payment: the fake "document" contains an invoice or processing fee you need to pay to release the file. These are blunter but still catch people mid-transaction.

Why your usual instincts don't catch it

Here's what makes e-signature phishing harder than most: it arrives with context. A random "verify your account" email is easy to ignore. An email that looks like the DocuSign notification you've been waiting for, arriving within minutes of a text from your landlord saying "I just sent the lease," is a different problem. Scammers don't manufacture urgency here — they find it. They send these in volume and let timing do the work.

The technical tells have also largely disappeared. AI-generated phishing has eliminated the typos and awkward phrasing that most people still use as their primary filter. Microsoft Threat Intelligence detected 8.3 billion phishing threats in Q1 2026, with the sophistication of attacks continuing to climb quarter over quarter. Looking right has been decoupled from being right for a while now. The absence of red flags is no longer evidence of legitimacy.

There's also a more difficult wrinkle: scammers don't always need to fake DocuSign. They can use it. A scammer with a real DocuSign account can create an envelope and send you a legitimate notification from the real domain — containing a document that asks you to enter payment details or credentials. The email passes every technical check because it came from DocuSign's actual system. The attack lives in the document content, not the envelope. This is why checking the sender address, while necessary, is not sufficient on its own.

The red flags that actually give fake DocuSign emails away

The link destination isn't docusign.com. Before clicking the "Review Document" button, hover over it on desktop — your browser shows the destination URL in the lower corner. It should start with https://docusign.com. If it shows a chain of redirects, an unfamiliar domain, or anything other than docusign.com as the final destination, do not click. On mobile, press and hold the button to preview the URL before tapping.

It's asking you to log in through Google or Microsoft. Real DocuSign sends you a one-time link to access your document directly — you don't need to authenticate through a third-party service to view it. Any page routing you through a Google sign-in, Microsoft login, or similar to "access your document" is harvesting your credentials, not showing you a contract.

The document name is generic or out of nowhere. "Agreement_V3_FINAL.pdf" from someone you've never corresponded with, no prior email thread, no context for what you're supposedly signing — that's a flag. Real e-signature requests arrive with context. You know what the document is, you know who's sending it, and it connects to something that's actually happening in your life.

There's time pressure with no prior conversation. "This document expires in 24 hours." "Signature required — time sensitive." DocuSign does allow senders to set expiration dates, but a legitimate request from someone you're actually in a transaction with doesn't usually arrive with a countdown clock attached to an email you weren't expecting.

The sender name is a business you don't recognize. DocuSign notifications tell you who sent the envelope — that's supposed to be a person or company you're doing business with. If the sender name is vague ("eSignature Service," "Legal Document Center," "HR Compliance Team"), that's worth a pause before proceeding.

The email arrived from someone you trust — but unexpectedly. If your accountant's or real estate agent's email address sends you a DocuSign request you weren't anticipating, call them on a number you already have before clicking anything. Account takeover is how this spreads: once a scammer has someone's email, they send phishing to that person's entire contact list because the recipients trust the sender.

How to verify a DocuSign email without clicking anything in it

Check the sender domain. Real DocuSign notifications come from @docusign.net or @docusign.com. If the "From" address is anything else — @docusign-notifications.net, @docu-sign.com, any variant — it's not DocuSign. But be aware that a real domain alone doesn't guarantee the email is legitimate, for the reasons above.

Hover the button before clicking. The destination URL is the clearest signal you have. It should resolve to docusign.com. If it resolves anywhere else, stop.

Go to docusign.com directly. If you have a DocuSign account, log in from docusign.com — don't use any link in the email — and check your inbox there. If a document is genuinely waiting for you to sign, it will appear in your DocuSign account. If nothing shows up, the notification was fake.

Forward the suspicious email to verify@docusign.com. DocuSign has a security team that investigates phishing reports and uses them to track active campaigns. If you're unsure, send it to them before clicking anything.

If you already clicked

If you entered your Google or Microsoft credentials: Change your password immediately. Navigate directly to accounts.google.com or account.microsoft.com in your browser — don't click any link from the suspicious email. Enable two-factor authentication if it isn't already on. Review connected apps and revoke access to anything unfamiliar. Check your Sent folder for messages you didn't send.

If you entered a credit or debit card number: Call your card issuer now. Don't wait for a fraudulent charge to appear — calling before a charge posts gives you more options. Most issuers will cancel the card and issue a new one immediately.

If you entered your DocuSign credentials specifically: Log in directly at docusign.com, change your password, and review recent envelope activity in your account.

Not sure what you clicked: Paste the URL into Cautellus to check it against known malicious domains. Then work through the full recovery checklist at what to do after clicking a scam link.

Report the email to DocuSign at verify@docusign.com and to the FTC at reportfraud.ftc.gov.

FAQs

What email domain does DocuSign actually send from?

DocuSign sends automated notifications from @docusign.net and @docusign.com — both are legitimate domains. If the sender address uses anything else, it's definitely not DocuSign. However, a real DocuSign domain doesn't fully clear an email, because scammers can create accounts on DocuSign's platform and use it to send malicious envelopes that technically originate from the real domain.

Can I just check if the email came from the real DocuSign address?

It's a necessary check but not a sufficient one. Spoofed sender addresses are possible, and some attackers use DocuSign's real infrastructure. The most reliable verification is the destination URL of the link in the email — hover over the button before clicking and confirm it goes to docusign.com. If in doubt, log into docusign.com directly to see if a document is waiting.

What happens if I click the link but don't enter anything?

Some phishing pages can attempt to run scripts on load, particularly against older or unpatched browsers. In most cases, clicking without entering credentials is lower-risk but not zero-risk. Run your normal security checks and make sure your browser and system software are current. For a full guide, see what to do after clicking a scam link.

The DocuSign email came from someone I know. Does that mean it's real?

Not necessarily. Scammers compromise email accounts and use them to send phishing to the victim's contact list, because those contacts trust the sender. If you receive an unexpected DocuSign request from a real contact, call or text them separately — on a channel you already have — and confirm they sent it before clicking. Don't reply to the suspicious email to ask.

Will DocuSign ever ask me to log in with Google or Microsoft to see a document?

No. DocuSign's system sends you a direct link to access the document — you may be asked to agree to e-signature disclosure or confirm your identity via email, but not to authenticate through a third-party login service. If the page you land on asks you to "sign in with Google" or similar to view a document, close it. That's credential harvesting.

I think I already fell for this. What do I do first?

Change the password on whatever account credentials you entered — go directly to the service, not through any email link. Enable two-factor authentication on that account if it isn't already on. Contact your bank if payment information was involved. Then review your email's Sent folder to see if anything went out from your account without your knowledge. Full checklist at what to do after clicking a scam link.

---

You didn't do anything dumb. The email looked real because the people who built it put effort into making it look real, and they timed it for when you were already in a signing mindset. Hover the link, log in directly, and when in doubt — forward it to verify@docusign.com before you click a thing.

---

Sources: Check Point Research, "40,000 Phishing Emails Disguised as SharePoint and e-Signing Services" (June 2026), via Hackread and eSecurity Planet; Microsoft Threat Intelligence, "Email Threat Landscape: Q1 2026 Trends and Insights" (April 30, 2026); DocuSign Trust & Security, docusign.com/trust/safety-alerts; FTC Consumer Fraud Reporting, reportfraud.ftc.gov.