The Alabama Department of Revenue (ALDOR) is warning taxpayers, businesses, and government partners about an active phishing scam involving fraudulent DocuSign messages designed to look as though they were sent by the agency. These deceptive emails closely mimic legitimate DocuSign notifications, including familiar branding, formatting, and wording such as “Alabama Department of Revenue sent you a document to review and sign.” Because the messages appear authentic at first glance, recipients may be more inclined to open them, making the scam particularly dangerous.
Despite their convincing appearance, the messages contain several red flags that indicate they are not from ALDOR. Most notably, they reference suspicious sender domains such as macr2.com, a disposable address commonly associated with spam, fraud, and malicious content. Any communication from the Alabama Department of Revenue will come from official state-controlled domains, not temporary or unfamiliar ones.
If a recipient clicks the embedded “Review Document” button, they are directed to what appears to be the DocuSign platform; however, the link includes hidden malicious components. In some cases, a QR code is also embedded in the message, encouraging the target to scan it as an alternate method of accessing the document. Both the link and QR code are dangerous and can lead to credential harvesting pages, malware installation, or other fraudulent activity. Do not click the link or scan the QR code under any circumstances.
To protect yourself and your organization from this scam:
- Be cautious of emails from disposable or unfamiliar domains such as macr2.com.
- Verify any document-signing requests directly using official ALDOR contact information, not the information provided in the suspicious email.
- Avoid clicking unknown links or opening unexpected attachments, even if the message looks legitimate.
- Manually type official URLs into your browser instead of relying on embedded links.
- Ensure your systems, browsers, and security tools are fully updated to help detect and block emerging threats.
- Report phishing attempts to the New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) or the FBI’s Internet Crime Complaint Center (IC3).
By staying vigilant and following these precautions, individuals and organizations can help prevent falling victim to this ongoing phishing campaign.