Queensland Law Society

DocuSign scam warning

DocuSign scam another way to hack solicitor’s email: QLS repeats the warning not to use email alone to arrange trust transfers.

DocuSign is a legitimate electronic signature system which allows registered users to attach verified signatures to soft-copy documents.

QLS has been alerted to a new scam by which a sophisticated group of email hackers is using fake DocuSign links to steal email log on credentials.

How it works:

  • Your law practice receives a well written and apparently legitimate email asking you to review contract documents. 
  • The documents are purportedly sent “via DocuSign” and “encrypted to your email”. 
  • If you click the link you are prompted to enter your email authentication details.
  • If you do so, the attackers can use the log on credentials you have just supplied to take over your email. 

From that point they can use a simple but effective scheme to divert funds coming to or from your trust account – with devastating consequences for you and your clients.  See this link for further information: here

The lesson is two fold:

  1. Be extremely careful in following unsolicited links, and don’t enter password details if you do.  Warn staff and conduct internal training.
  2. Other firms and your clients may well have been successfully attacked.  Do not rely on email alone when arranging trust transfers without verifying the instruction through other forms of contact.  Tell your clients and colleagues that you will never instruct them to send funds via email alone.

For our post-attack checklist see: here.