What an exciting day. I got a new scam in my email!

This email claims to be from DocuSign, the popular app for securely signing contracts, agreements, and other sensitive documents. I sign something with DocuSign once every three months or so. It’s a favorite of my insurance agent and insurance agent, so I’m pretty familiar with how it looks.

DocuSign in itself is very secure. Fake DocuSign, not so much.

Let’s take a look at the two documents. First, here’s a real DocuSign request from my real estate agent regarding an offer on a property I sold about six months ago. My agent sent me an email beforehand to let me know the DocuSign request was coming. (I blurred the personal details.)

There are several features to note on this email.

  • The email came from dse_na2@docusign.net. Note that the part after the @ is the real DocuSign website.
  • The email subject line was “Please DocuSign: [name of PDF]”.
  • The email was sent to my email address with my name on it.
  • In the blue area is my agent’s name, which I recognize.
  • There’s a personal message from my real estate agent, with his photo.
  • The security code in the gray part of the email (which I fuzzed out in the image) is rather long.
  • When I hover my mouse cursor over REVIEW DOCUMENT, the URL displayed in the pop-up ends with docusign.net.

Now, here’s the fake email:

Note that:

  • The email was from docusign@nicolettetorres.com. Who the heck is Nicolette Torres?
  • The subject line was: “You received invoice from DocuSign Service”. Not the best English grammar. I’d expect “You received an invoice…”.
  • The email was sent to my email address, with the displayed name YCFABuD0ZKAUOQmCQZCQi. No one has called me that in years!
  • The blue area doesn’t include a name.
  • The message is pretty impersonal. My first name is nowhere in there.
  • The security code in the gray area is shorter than the one in the real email.
  • The big link text says SEE DOCUMENT, not REVIEW DOCUMENT as in the real email.
  • When I hover my mouse cursor over SEE DOCUMENT, the URL displayed in the pop-up is http://tecnopressitaly.it/wp-includes/richard.php. Who the heck is Richard?

If nothing else convinced me this was a fake email, that last point certainly did.

Just for kicks, I checked out nicolettetorres.com, the domain of the “from” email address. The domain is registered to some dude in California. Email addresses can be spoofed, so I can’t be sure that the guy is the one who sent the email. But to be sure, he’s not from DocuSign.

I’m a little afraid to go to tecnopressitaly.it. Who knows what evil lurks there?

If you get an email like this, be sure to check the “from” email and all the other points before clicking. Scammers are getting more inventive all the time! I’m not sure how successful this scam will be. Only time will tell. If I get more emails like this, it means the scammers are having some success and want to try it again. I hope you’re not one of their victims!