Where Can Users Report Phishing Using Fake Go/Docusign Links?

This always throws me into action: I immediately mark the email as phishing in my inbox and then forward it to a few places. I send it to my workplace security contact so they can block the sender internally, and I check DocuSign’s official site for their recommended reporting path — companies typically post a security or contact page where they tell you exactly how to submit suspected phishing. If you can’t find a dedicated address, forward the message to whatever abuse or support email they list and say it looks fraudulent.

Beyond the vendor, I report the malicious URL to broad abuse repositories. I forward the mail (with headers) to reportphishing@apwg.org — that one helps security teams collaborate on takedowns. I also paste the URL into Google Safe Browsing’s report form and use Microsoft’s unsafe site reporting if the link targets users on Edge/IE. If there’s a real loss (money or credentials), I don’t hesitate to file a complaint with the relevant national authorities — for U.S. residents that means IC3 and the FTC; elsewhere check your country’s cybercrime reporting portal or CERT. After all of that I change passwords, enable two-factor, and let my contacts know in case they got the same scam. It’s a bit of manual work, but it helps reduce the next wave of phishing.

Okay, quick and practical: don’t click the fake 'go/docusign' link and preserve the message (screenshots and full headers help a lot). Report it inside your email client (Gmail/Outlook have a 'Report phishing' button). Then forward the suspicious email to DocuSign’s official reporting channel — look up their security/contact page for the exact mailbox or web form — and also send the headers and message to reportphishing@apwg.org. I also submit the URL to Google Safe Browsing and Microsoft’s unsafe site report so browsers and search engines can block it. If credentials or money were involved, file a complaint with your country’s cybercrime authority (in the U.S. that’s IC3 and the FTC). Finally, change exposed passwords, enable MFA, run a malware scan, and warn coworkers or friends so the scam doesn’t spread.

If you spot a suspicious 'go/docusign' link in an email, don’t panic — I usually treat it like a live grenade and move fast but careful. First thing I do is not click anything and take screenshots of the email, then save a copy (or forward it) with full headers if possible. Email clients like Gmail and Outlook have built-in 'Report phishing' options — use those right away because they help block the sender for everyone. I also forward the message to my workplace IT or the person who handles security, because if it’s a targeted phishing attempt they’ll want to know and can warn colleagues.

For external reporting, there are a few reliable places I always use. I forward suspicious DocuSign-looking emails to DocuSign’s official reporting channel listed on their website (look for their security or support/contact page for precise instructions) — many companies provide a dedicated mailbox or form to handle phishing reports. I also send the same email (with headers) to the Anti-Phishing Working Group at reportphishing@apwg.org; they aggregate and help block malicious campaigns. From there, I use provider-specific reporting: Google Safe Browsing has a report form for phishing URLs, and Microsoft has a 'Report Unsafe Site' tool; both help get malicious links delisted from browsers and search engines.

If the phishing had financial implications or credential theft, I file complaints with official bodies: in the U.S. I’d use IC3 (ic3.gov) and the FTC (ftc.gov/complaint), and other countries have similar cybercrime reporting centers or national CERTs. Finally, I change any passwords that might have been exposed, enable MFA everywhere, run a malware scan, and keep an eye on accounts for odd activity — better safe than sorry, and sharing what I found with friends or coworkers often stops the next person from falling for the same trick.