Phishing Campaign Exploits DocuSign API to Authorize Payment of Fake Invoices

by | Nov 22, 2024

The healthcare and public health sector (HPH) issued an alert about a continuing phishing campaign that uses the DocuSign e-signature software to impersonate popular companies. The target of the phishing campaign is to mislead company staff into allowing their billing department to authorize payments for bogus invoices.

Researchers at Wallarm discovered the campaign at the beginning of December. The threat actor doesn’t seem to be focusing on any particular industry but the Health Sector Cybersecurity Coordination Center (HC3) has released a sector warning since the threat activity is likely to impact the HPH sector, which was previously targeted in identical bogus invoice phishing campaigns.

As per the researchers, the attacker uses the DocuSign Envelopes API to make and mass-deliver bogus invoices that seem to be mailed by businesses like Norton and PayPal. The invoices look real and contain correct pricing data for the items. For example, one invoice was created for the Norton LifeLock 360 all-in-one security suite. The $298 invoice included $249.00 for using the product for 1 year by 2 users and an extra $49.00 fee for activation. The researchers intercepted other emails that included direct wire directions or purchase orders. The attacker tries to mislead the receiver into e-signing the invoice and sending it to the billing section for payment.

Because the documents are delivered via the real DocuSign platform, the emails seem legit and won’t be stopped or flagged by email security software since a reputable service sent them and don’t contain malicious hyperlinks or file attachments. Because the emails will probably get through to end users, it is necessary to increase scam awareness through security awareness, or HIPAA training. Staff must be informed to check any emails they get and to be skeptical of any uncommon invoice requests.

Inspections must be performed on the email address of the sender and any connected accounts for legitimacy, and staff must be cautious against any issues in emails, for example, using a last name without a capital letter. When the Docusign envelope’s sender is not identified, or the email message is suspicious, users must find the unique security code at the end of the Docusign envelope email notice. When it isn’t found, never click on any hyperlink, don’t open any attached files, and get rid of the email.

Healthcare companies must also enforce strict guidelines and procedures for authorizing acquisitions and financial orders and when possible, those inspections should include several team members. When receiving a suspicious email from DocuSign, the message must be sent to spam@docusign.com and the email must be deleted.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy