Security That Scales: Our Multi-Pronged Approach to Evolving Threats and Fraud

Our approach to security and privacy is a big reason why Docusign is the most widely trusted agreement solution in the world and the most trusted U.S. company in software and communications the last two years running. More than 20 years ago, we came to customers with a new idea to digitize your signature. That idea only works if your agreement retains its biggest value: trust. We had an incredibly high bar to clear — we had to ensure our customers felt safe entering the digital space.

Today, our customers trust us to manage the billions of mission-critical agreements they need to run their business every day. Docusign consistently meets the stringent security requirements of even the most security-conscious organizations, including the world’s largest financial institutions, the U.S. Federal Government, and more than 87% of Fortune 1000 companies.

Maintaining this trust has become more crucial than ever as increasingly sophisticated threat actors expand their reach and impact through tactics such as the industry-wide increase in fraud and phishing. The reality is, the threat landscape is always changing. For example, over the past few years and alongside many of our peers — we’ve seen increasingly sophisticated attempts by bad actors trying to impersonate our brand or use our platform to send fraudulent emails. This isn’t just a blip on the radar — it’s a signal we take seriously.

To that end, we embrace an AI-powered, multi-pronged security approach designed to identify threats on the horizon and combat bad actors in real-time. From e-signature to ID Verification and Docusign IAM, we’re constantly re-evaluating our cybersecurity defenses and making improvements to keep our customers — and their agreements — safe. That means not just reacting to threats, but anticipating them. 

Understanding the threat landscape through adversarial eyes

With the pace of innovation accelerating almost daily, anticipating how bad actors will leverage those emerging technologies to up their game is crucial. We’ve made a number of investments to enhance our forward-looking understanding of risks and our ability to mitigate them, including  expanding our threat intelligence and insider risk mitigation programs. Our offensive security program applies adversarial tactics such as simulated attacks and penetration testing to identify and mitigate risks before they become real-world problems.  And we’ve increased our bug bounty investments to more fully leverage the world’s leading security researchers to help us spot potential vulnerabilities and shore up our products and systems. 

Stopping bad actors in their tracks

One key area of focus in these efforts is protecting users from bad actors impersonating Docusign. Fraud and phishing is an adversarial game, so we’ve also expanded our Trust & Safety program to create more robust, automated operational workflows to identify and resolve platform abuse issues as quickly as possible.

One of the first lines of defense is making it harder for bad actors to get in the door. We’ve invested in smarter ways to detect suspicious behavior right at the account sign-up stage. If something doesn’t look right, we flag it. We’ve also put controls in place to limit how far someone can get if they do manage to slip through. And when we spot a fraudulent account, we don’t wait around — we automate the suspension process so we can act fast.

As we’ve seen new trends and threats emerge among bad actors, we’ve also rolled out several new security measures to stay one step ahead. For example, we require enhanced authentication for new accounts that hit certain high-risk fraud signals. We’ve decreased the number of times a credit card or bank account can be used to open new accounts — making it much harder for someone to abuse the system with a single payment method — and integrated third-party services to catch sign-up and payment fraud even earlier. 

We’ve upgraded our email delivery systems to better spot and block fraudulent emails before they ever reach your inbox. And today we’re announcing new fraud verification capabilities that allow you to quickly determine whether a Docusign-presenting email is legitimate. Simply forward the suspicious email to verify@docusign.com and we will quickly confirm whether the content is legitimate or contains suspicious material, along with recommended actions.

AI-powered threat response

We’ve developed a comprehensive AI security strategy to leverage best practices and leading tools to protect our products and infrastructure, allowing us to better identify and block bad actors in real time, while making sure we don’t create unnecessary friction for legitimate customers. This includes training and deploying AI models to recognize and remove fraudulent content on the Docusign platform in real-time.  It’s about being smarter and faster — so our customers can focus on their business, knowing we’re working behind the scenes to keep them safe. 

The bottom line is this: Security isn’t a one-and-done project. It’s a continuous process of learning, adapting, and staying one step ahead. At Docusign, we’re committed to doing the hard work — every day — to keep our customers safe at every stage of their agreement journey.