PayPal Scam Uses Docusign to Bypass Security

#Phishing & Identity Theft #Online payment scams

Author: Adam Collins

March 13, 2025

Scammers are like cockroaches: no matter how many times you think you’ve squashed them, they find a way to scuttle back into your life. And lately, they’ve been dusting off an old trick to bypass your email security and steal your hard-earned cash. The latest scheme? A sneaky blend of PayPal phishing and a trusted platform you’ve probably used before: Docusign.

Yes, you read that right. Scammers are now using Docusign—a service designed to make your life easier—to make their phishing emails look legit. It’s like a wolf showing up at your door wearing a sheep’s sweater, complete with a monogram. But don’t worry, we’re here to help you spot the wool being pulled over your eyes.

How the Latest PayPal Scam Works

Here’s the play-by-play: Scammers create a Docusign account and use its templates to send out fake PayPal invoices. Because the emails technically come from Docusign, they slide past most email security filters like a greased-up otter. Once you open the email, you’re greeted with a document that looks like it’s from PayPal, complete with logos and official-sounding language. But here’s the kicker: the email address is a dead giveaway.

As Pieter Arntz, a malware intelligence researcher at Malwarebytes, points out, these emails often come from a random Gmail address—not exactly the kind of thing you’d expect from a billion-dollar company like PayPal. And if you dig a little deeper, you’ll notice other red flags, like the “To” address not matching your email or even existing at all.

Why This Old Trick Still Works

You might be thinking, “This sounds like something from 2010. Why is it still a thing?” Well, scammers are banking on two things: trust and distraction.

First, Docusign is a trusted platform. When you see an email from them, you’re less likely to question its legitimacy. Second, let’s face it—we’re all busy. Who has time to scrutinize every email? Scammers know this and use it to their advantage.

But here’s the good news: this scam is easy to spot if you know what to look for.

Red Flags to Watch For

Suspicious Email Addresses: If the email claims to be from PayPal but comes from a Gmail or other non-PayPal domain, it’s a scam.
No Signature Required: Docusign is for signing documents. If the email doesn’t require a signature, something’s fishy.
Mismatched “To” Address: If the email isn’t addressed to you, it’s not for you.
Pressure Tactics: Scammers love urgency. If the email demands immediate action, take a step back and verify.

How to Protect Yourself From PayPal Scams

Go Straight to the Source: If you receive a suspicious email, don’t click any links. Instead, log in to your PayPal account directly (not through the email) to check for any issues.
Verify the Document: If the email includes a Docusign link, head to Docusign.com and enter the document security code manually. If it’s fake, you’ll get an error message.
Enable Two-Factor Authentication: This adds an extra layer of security to your accounts.
Report Suspicious Activity: If you spot a scam, report the scam to PayPal, Docusign, and your email provider.

The Bigger Picture: Phishing is Evolving

While this scam might feel like a throwback to simpler times, phishing as a whole is evolving. As Paul Walsh, CEO of MetaCert, points out, the old advice of “look for spelling mistakes” is outdated. Scammers are now crafting well-written, professional-looking messages that are harder to detect.

What’s more, phishing is no longer just an email problem. Scammers are increasingly using SMS, calls, and even social media to target victims. Walsh argues that traditional threat intelligence is no longer enough to combat these attacks, and new solutions—like URL authentication before delivery—are needed to stay ahead of the game.

What PayPal is Doing

PayPal isn’t sitting idly by. The company uses a combination of manual investigations and advanced fraud detection tools to protect users. They’ve also launched initiatives like the Smarter Than Scams campaign, with others, to raise awareness about common fraud trends.

But here’s the bottom line: no matter how many safeguards are in place, the best defense is you. Stay sharp, trust your gut, and remember: if something feels off, it probably is.

Bottom Line: Be Watchful

Scammers might be turning back the clock, but that doesn’t mean we have to fall for their tricks. By staying informed and following a few simple steps, you can outsmart even the craftiest of fraudsters. So the next time you get an email that smells fishy, don’t take the bait. Instead, be the one who reels in the scammer—by reporting it and moving on with your day, scam-free.

After all, the best way to beat a scammer is to make sure they’re the ones left feeling foolish. And honestly, there’s nothing more satisfying than that.

Report a Scam!

Have you fallen for a hoax, bought a fake product? Report the site and warn others!

Report a Scam!

Scam Categories

Help & Info

Scam Alerts Learn about Scams Reliable Sites Advice for Companies Research & Reports Global Scam Country Guide

See all

Popular Stories

How to Recognize a Scam Website

As the influence of the internet rises, so does the prevalence of online scams. There are fraudsters making all kinds of claims to trap victims online - from fake investment opportunities to online stores - and the internet allows them to operate from any part of the world with anonymity. The ability to spot online scams is an important skill to have as the virtual world is increasingly becoming a part of every facet of our lives. The below tips will help you identify the signs which can indicate that a website could be a scam. Common Sense: Too Good To Be True When looking for goods online, a great deal can be very enticing. A Gucci bag or a new iPhone for half the price? Who wouldn’t want to grab such a deal? Scammers know this too and try to take advantage of the fact. If an online deal looks too good to be true, think twice and double-check things. The easiest way to do this is to simply check out the same product at competing websites (that you trust). If the difference in prices is huge, it might be better to double-check the rest of the website. Check Out the Social Media Links Social media is a core part of ecommerce businesses these days and consumers often expect online shops to have a social media presence. Scammers know this and often insert logos of social media sites on their websites. Scratching beneath the surface often reveals this fu

How Do I Get Money Back From a Scammer?

So the worst has come to pass - you realise you parted with your money too fast, and the site you used was a scam - what now? Well first of all, don’t despair!! If you think you have been scammed, the first port of call when having an issue is to simply ask for a refund. This is the first and easiest step to determine whether you are dealing with a genuine company or scammers. Sadly, getting your money back from a scammer is not as simple as just asking. If you are indeed dealing with scammers, the procedure (and chance) of getting your money back varies depending on the payment method you used. PayPal Debit card/Credit card Bank transfer Wire transfer Google Pay Bitcoin PayPal If you used PayPal, you have a strong chance of getting your money back if you were scammed. On their website, you can file a dispute within 180 calendar days of your purchase. Conditions to file a dispute: The simplest situation is that you ordered from an online store and it has not arrived. In this case this is what PayPal states: "If your order never shows up and the seller can't provide proof of shipment or delivery, you'll get a full refund. It's that simple." The scammer has sent you a completely different item. For example, you ordered a PlayStation 4, but instead received only a Playstation controller. The condition of the item was misrepresented on the product page. This could be the