I have as well!!!! Did they happen to be posing as Lending club? 

This is the Header info that was in the e-mail. it they made it look like it was sent by Hayes Recruitment.

eturn-Path: <info@egypack.net>
Delivered-To: 9@1565260
Received: from imap-director-7.dovecot.cloudus.ewr.xion.oxcs.net ([10.94.2.8])
    by imap-backend-20.dovecot.cloudus.ewr.xion.oxcs.net with LMTP
    id eF5aEMbq6GXWTgAAr0kAfQ:T114:P1
    (envelope-from <info@egypack.net>)
    for <9@1565260>; Wed, 06 Mar 2024 22:16:15 +0000
Received: from mx.netsol.xion.oxcs.net (n10.94.2.8])
    by imap-director-7.dovecot.cloudus.ewr.xion.oxcs.net with LMTP
    id eF5aEMbq6GXWTgAAr0kAfQ:T114
    (envelope-from <info@egypack.net>)
    for <marketing@flexibleagency.com>; Wed, 06 Mar 2024 22:16:15 +0000
X-original-to: marketing@flexibleagency.com
Received: from nmtai101.oxsus-vadesecure.net (nmtai101.oxsus-vadesecure.net 0147.135.11.53])
    (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
     key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
    (No client certificate requested)
    by mx.netsol.xion.oxcs.net (Postfix) with ESMTPS id 4Tqmwv5nScz1Q6Hc
    for <marketing@flexibleagency.com>; Wed,  6 Mar 2024 22:16:15 +0000 (UTC)
Authentication-Results: oxsus-vadesecure.net; iprev=pass ip=217.76.57.242;
 spf=Pass client-ip=217.76.57.242 smtp.mailfrom=info@egypack.net;
 dkim=pass;
 dmarc=none action=no policy;
 arc=none;
Received-DKIM: Success
Received-SPF: Pass
X-VadeSecure-Originating-IP: 217.76.57.242
X-VadeSecure-Malware: Clean
X-VadeSecure-Verdict: clean
X-VadeSecure-Status: clean
X-VadeSecure-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrheekucdltddurdegvdekrd
 dttddmucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuhgfgueevqffopdggtfgfnhhsuhg
 sshgtrhhisggvnecuuegrihhlohhuthemuceftddunecuogetfedtledqtdefucdlvddtmdenucfj
 ughrpefkhffvufffrffogggtsegrtdhjreertdejnecuhfhrohhmpedfjfgrhihsfdcuoehinhhfo
 hesvghghihprggtkhdrnhgvtheqnecuggftrfgrthhtvghrnhepgeffvefgvdeujedugefgueegve
 fgfeeuhfdvhfekueefveefuddvkeevtefhleegnecuffhomhgrihhnpehrvgihrgdrtghomhdrrgh
 updguohgtuhhsihhgnhdrnhgvthdpughotghushhighhnrdgtohhmnecukfhppedvudejrdejiedr
 heejrddvgedvpdejledruddvuddrudeirdduiedvnecuvehluhhsthgvrhfuihiivgeptdenucfrr
 ghrrghmpehinhgvthepvddujedrjeeirdehjedrvdegvddphhgvlhhopehsvghrvhgvrhdrrghlug
 gvlhhtrgdrnhgvthdpmhgrihhlfhhrohhmpehinhhfohesvghghihprggtkhdrnhgvthdpnhgspgh
 rtghpthhtohepuddprhgtphhtthhopehmrghrkhgvthhinhhgsehflhgvgihisghlvggrghgvnhgt
 hidrtghomhdpmhhouggvpehsmhhtphdpghgvthdqufgrfhgvfghnshhusghstghrihgsvgdpghgvo
 hfkrfepuggvpdhsphhfpehprghsshdpughkihhmpehsuhgttggvshhs
X-VadeSecure-Score: 20
X-VadeSecure-SID: 808bc99b-17ba4cbac70981e6
X-VadeSecure-Dom: oxcloud-us-2
Received: from server.aldelta.net (m217.76.57.242])
 by oxsus1nmtai01p.internal.vadesecure.com with ngmta
 id 808bc99b-17ba4cbb15017ab2; Wed, 06 Mar 2024 22:16:15 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=egypack.net
    ; s=default; h=Content-Type:MIME-Version:Date:Subject:To:From:Message-ID:
    Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
    Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
    In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
    List-Post:List-Owner:List-Archive;
    bh=f+C6XZSbJZi+MzygVZOMANADuxSw3TzRFutRzas06lM=; b=idYT+LC1Dmcxudga2PFzZhomAZ
    gi6ZY/TDJReqH0bsHNtttQDwdoR+a8BzYf48hQrRf4/37KCkyG3cmQduQX65jnIqUIMwtDn1EbWJU
    0IeBo9B4C9c5BM7E1aohuUNjnzHlHd12NgHpHXrGJL1rOdm1JbjHWrdKUZXYqSFIlXIUwP8QLg5vg
    KwxVBLQV241/keAuw3hIlIT9eVr3gLIKgcZAly8/8ln1W6NkoK0o2ejEI5ol1Vk11AF2Jf8BiNFK0
    bWsRNZT94v2v6z8je2LrXz2pQ68qPN91TIUhmquKdWSKlXWjF3dT2L2oKlVpr6v2nL7mstM2SBDFd
    4R0/D0ew==;
Received: from host-79-121-16-162.kabelnet.hu (279.121.16.162]:24714 helo=LRUIKBBG)
    by server.aldelta.net with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.96.2)
    (envelope-from <info@egypack.net>)
    id 1rhzYc-007atm-29
    for marketing@flexibleagency.com;
    Thu, 07 Mar 2024 00:16:13 +0200
Message-ID: <cdd73bf0b8a156cc1b92cdee051da7e5@egypack.net>
From: "Hays" <info@egypack.net>
To: <marketing@flexibleagency.com>
Subject: Alert: Important Documents in Internal Inbox
Date: Wed, 06 Mar 2024 14:16:09 -0800
X-Priority: 3
X-Mailer: LRUIKBBG
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="67aeaead2cc2e6404f0f70280006d490"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.aldelta.net
X-AntiAbuse: Original Domain - flexibleagency.com
X-AntiAbuse: Originator/Caller UID/GID - a47 12] / t47 12]
X-AntiAbuse: Sender Address Domain - egypack.net
X-Get-Message-Sender-Via: server.aldelta.net: authenticated_id: info@egypack.net
X-Authenticated-Sender: server.aldelta.net: info@egypack.net
X-Source: 
X-Source-Args: 
X-Source-Dir: 
 

Hi @MJFLEXIBLE !
You can report fraudulent activities directly from the platform (check first article below) or forward immediately to spam@docusign.com and then delete the email. Please check these articles for more information:

• Report Fraudulent Activities
• What should I do if I receive a suspicious email?

Thank you i forwarded the email to the spam e-mail address provided.

Thanks for your help!
Based on your report and that of other people, DocuSign will analyze it and may take some actions.

Hello @MJFLEXIBLE ,

If you found the provided response to be a useful solution to your question, please mark it as the best answer by clicking “Select as Best” to make it easier for other users to find.

Best regards,

Nathaly | DocuSign Community Moderator
"Select as Best" below if you find the answer a valid solution to your issue!

I received a scam docusign request, then received a scam notice that the document was signed and an email to save the docusign for my records.  I never clicked to open the document.  I clicked on the “report illegal activity” button in all three of the emails.  Is there anything else I need to do?

There was information in the click to save email that said I had completed a document to agree to buy something that cost $399. USD.  

Does anyone have advice on what I need to do?

The sender of my scam email was dse@eumail.docusign.net with a name of Frederick. Stewart, jocktmp+ypghu@gmail.com with a scam company name NORT O N 360 ADVANCED.    

Transaction. DATE 2024-06-07.  Does anyone know where to report a scam in my Docusign account?

Thank you!

Hello @DespinaY , 

Thank you for reaching out here in the DocuSign Community. 

I understand you are suspicious of receiving fraudulent emails.

We appreciate you making us aware of bad actors using the DocuSign product inappropriately. Our Security teams have created an Incident Reporting guide on our Trust site.

Please click the link below for up-to-date information on how to let Security know about   phishing or fraud attempts: https://www.docusign.com/trust/security/incident-reporting  

There is also the “Combating Phishing: A Proactive Approach” whitepaper available here: https://www.docusign.com/sites/default/files/docusign_combating_phishing_whitepaper.pdf 

Let us know if you need further assistance with this.

Best regards, 

Nathaly | DocuSign Community Moderator

"Select as Best" below if you find the answer a valid solution to your issue!

FYI:  This scammer succeeded in forging and completing a signature on a document that he sent to me.   It showed up in my completed documents folder,  I then opened it from my folder and saw the forged signature.  The document is a fake Symantec Norton antivirus invoice.

Given the discussion about email phishing, this could be a great resource (or refresher) for folks looking to catch such emails — whether they involve fake DocuSign templates or credentials or not:

https://ishrs.org/spot-email-scams/

An invoice, that I never opened was sent to my completed documents folder in my Docusign account with a forged signature on it.   

The case I opened was not for suspicious activity, it was for completely illegal activity.   The whole point of docusign is to be a trusted source to complete document transactions and this incident accomplished the exact opposite of that with no interaction from me.

Hello @DespinaY , 

Thank you for reaching out here in the DocuSign Community. 

I’m sorry to hear about the unfortunate events that took place with the documents, I do recommend you create a support case to report the issue and contact the email mentioned in the article provided in my previous post.

Let us know if you need further assistance with this.

Best regards, 

Nathaly | DocuSign Community Moderator

"Select as Best" below if you find the answer a valid solution to your issue!

I too received an email claiming I completed a Docusign document with an invoice for $399.69, AND the “completed” document is IN MY ACCOUNT!!!!   I am unable to get to a place that offers “Report Abuse” via any link available in connection to that FRAUDULENT completed document in my account.  I have sent 2 separate complaints to the security@docusign.com reporting address, and 1 separate complaint to the spam@docusign address, as directed on your website.  I have heard NOTHING and this FRAUDULENT “completed” document (THAT I NEVER SIGNED) remains in my account register.  Please do something about this.  It is EXTREMELY alarming that a fraudulent document was processed by Docusign and is sitting in my account and nothing is being done about it.  Yes, I’m upset, and this is the 5th or 6th time I have visited the site trying to get this resolved.