back to article Criminals open DocuSign's Envelope API to make BEC special delivery

Business email compromise scammers are trying to up their success rate by using a DocuSign API. The Envelope: create API is designed to let users of the legal signing product automate and speed up document distribution. But it also allows customization – and that combination is, we're told, causing many people to get caught …

  1. CA Dave

    Who is really to blame?

    Even though this is a DocuSign exploit, why are these businesses not verifying who is sending these invoices to them and why? Is someone literally just lazily "pushing a button" to pay them without confirming what they're even for, or worse, writing an automation script that autopays? It seems absurd to begin with to just assume because it comes from DocuSign, that it's all valid without even doing a basic check that it matches a predetermined list of accounts payable with flag checks for amounts deviating from established averages. Nothing should be tedious or "a pain" checking these senders, or that the invoices match work orders.

    It's wild to me that the US Gov can finally start clamping down on bogus 1800% overcharges on things, but corporate America - with its current drive to be what's truly behind "inflation" - gets caught with their pants down.

    Bonus wild points if this is all an inside job with all these "victimized" corps, because unscrupulous employees have determined everything just gets rubber stamped for AP invoices.

    1. Claptrap314 Silver badge

      Re: Who is really to blame?

      Or to put it another way, if a scammer sends a regular letter with an invoice in it, and the company pays, is that an "paper mail exploit?" There is truly almost nothing that DocuSign can do here, besides slamming the door behind each escaped horse.

  2. John Smith 19 Gold badge
    FAIL

    Shouldn't DocuSign be checking this?

    Create new account iam.a.scammer@gimmemoney.com yet issuing invoices with name of (say) major supplier of water cooler systems.

    Presumably this should be information that changes (on the customer account) very infrequently

    Because basically the customers are outsourcing their trust to DocuSign.

    IOW right now DocuSign is given the appearance of security without delivering actual security.

    Which I think is the very definition of "Security theatre."

    1. Diogenes8080

      Re: Shouldn't DocuSign be checking this?

      ... creates^W steals, FTFtR. Though I am sure both are true.

      https://trial.docusign.com "Try DocuSign free for 30 days. No credit card required". I don't see how that could possibly go wrong.

      Make it right? Why not try legal liability for frauds conducted from a negligently-secured system? Most regulators who have not been captured should be in favour of that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like