How Docusign CISO Michael Adams plans to push back against fraud

There’s something strange in your inbox. It says it’s from a popular e-signature company, but something’s not right. Who you gonna call?

While the Ghostbusters may not be the most appropriate responder for this particular predicament, Docusign has rolled out a new line of defense: an official email that confirms the legitimacy of any forwarded Docusign email in two hours or less.

Docusign debuted the support email in early November. Michael Adams, CISO and group VP of the software company, told IT Brew it’s crucial for the company to have a “sophisticated, forward-looking, effective approach” to security and privacy. Adams joined Docusign from Zoom in April of this year.

He added that Docusign has created a centralized “trust and safety team,” composed of security analysts, developers, and other professionals within the company.

Bad sign. Docusign’s new fraud capability comes as malicious actors continue to leverage the software company in their social engineering attacks. Ensar Şeker, CISO at threat intelligence company SOCRadar, said bad actors are luring victims, who no longer click random links, by hiding malware inside services they already trust. For some, this means sending a fake Docusign email with identical branding that links to a credential harvesting page. For others, it means compromising real Docusign accounts to spread malicious links.

“Docusign is one of those perfect targets because the brand is so deeply associated with legitimacy contracts, HR process, [and] real estate compliance,” Şeker said, adding that the current nefarious uses of Docusign by threat actors is just an evolution of “classic trust abuse problems.”

Şeker said software vendors whose products are being misused by malicious actors have a growing role in building strong verification layers. He called Docusign’s fraud verification email a “pragmatic move.”

“They are meeting users at the moment of uncertainty and those moments are usually the exact point where phishing either succeeds or fails,” Şeker said.

Şeker added that while some vendors are slowly starting to create “trust checkpoints” similar to Docusign’s latest capability, it has yet to become a widespread industry trend.

“It is the kind of safeguard we want to see more providers build into their platforms as impersonation and trust abuse continue to escalate,” he said.

Join the club. The verification email joins Docusign’s other efforts to tackle fraud involving its product, according to Adams, who said the SaaS provider is currently leveraging AI-powered tools and real-time risk scoring to try and get ahead of fraud attempts.

“What we saw were those targeting free trial paid plans were particularly susceptible in this space,” Adams said. “This is where some of this real-time risk scoring and automated blocking is particularly helpful.”

Adams added that Docusign debuted a new online “safety center,” a resource Docusign users can tap to remain up-to-date on ongoing threat tactics.

“They can understand the threats that are out there. They can understand how they can protect themselves, but also what we can do to support them when they face some of these challenges,” he said.