Document signature phishing (also called e-signature phishing) is a cyberattack where criminals misuse trusted e-sign platforms like DocuSign or Adobe Acrobat Sign to trick people at small and mid-sized businesses. They send fake emails asking you to “review” or “sign” a document that contain malicious links or attachments to steal sensitive information (such as passwords or bank details) or install malware on your device.
How does Document Signature Phishing Work?
The attacker pretends someone “sent you a document to review/sign” to lure you to a fake login page (often Microsoft 365 or Google) and steal your account credentials.
What does a phishing email look like?
- The email appears to come from your company, for example from HR, Finance, or IT
- Often uses urgency (e.g., “Urgent” or “Action required”) to rush you
- May look like it was sent by a known vendor, client, or business partner
- Uses your company branding or the branding of signature providers (e.g., DocuSign, Adobe, Google, SharePoint)
- The fake page often says “Sign in to view the document,” then captures your username and password and sometimes your MFA code
- The email often includes a link via a legitimate service (e.g., Google Drive/Docs or Microsoft 365 domains) that then redirects to a fake site
What are Attackers After, and What Happens if You Click?
- Immediate mailbox access: searching your inbox and setting up auto-forwarding
- Internal spread: emails sent from your account to coworkers or vendors
- Invoice scams: swapping bank details in active threads, urgent payment requests
Account Takeover (Microsoft 365 / Google Workspace)
- Fake login pages capture your email, password, and sometimes your MFA code
- With your credentials, attackers sign in and control your account
Business Email Compromise (BEC)
- After getting mailbox access, they create rules to auto-forward or hide messages
- They search emails and files for sensitive info—contracts, invoices, payroll
- They run invoice fraud by changing bank routing and account numbers
- They send more phishing “from your account” to increase trust and spread
How to Protect Against Phishing Emails - Quick Response and Prevention
What to do immediately
- Immediately change your password on any connected accounts and active sessions related to the email, and review/remove inbox rules and forwarding settings.
- Contact your company’s email admin or IT support right away to suspend or lock the account.
What prevention looks like — process and technology
- Never open a “document” from a link in an email; instead, use the file attachment and confirm the file is actually attached.
- Verify “urgent” requests using another channel (phone call, Microsoft Teams, Slack).
- Don’t use email for approvals or signatures; use approved e-signature or workflow tools.
- Employee training and phishing simulations: Make sure staff know the official apps your company uses so they can recognize what HR or other departments would legitimately send.
- Technical controls such as MFA (multi-factor authentication), SPF, DKIM, DMARC, and anti-phishing filters at the mail server or email security gateway.