A “Signature Task Assignd” email claims you have a document waiting for your e-signature, often an engagement letter, invoice, or tax form. It looks like a routine client portal notification and may warn that the link expires in 12 hours.
In many cases, it is not a legitimate signing request. It is a phishing attempt designed to steal your email or account credentials, then use that access to hijack payments, reset passwords, and target your contacts.
Scam Overview
What the “Signature Task Assignd” email really is
The “Signature Task Assignd” email scam is a credential theft attack that impersonates an e-signature workflow.
The message typically claims:
A document is waiting for your signature (often an “Engagement Letter,” “Invoice,” “Tax Document,” “Contract,” or “Policy Update”)
A person is requesting your signature (often described as your “practitioner,” “account manager,” “HR,” or “legal” contact)
You must click a button to eSign
The link expires soon, often in 12 hours, to create urgency
You should not forward the email “for security purposes,” which discourages you from asking someone for a second opinion
A classic example of this format is: a business name at the top, a subject-like banner that says “Signature Task Assignd,” a practitioner name, a document title (like a yearly engagement letter), an “eSign now” button, and an expiration warning.
The scammers are leveraging familiarity. E-signing is normal. Expiring links are normal. Engagement letters are normal. The design looks like something you might receive from a real client portal.
But the key detail is that the email is not coming from the real organization, and the “eSign” button does not take you to a secure signing portal. It takes you to a phishing page designed to capture your login.
Why this scam is spreading
This campaign is effective for three reasons.
First, e-signature requests are common across many industries. Accounting, payroll, insurance, real estate, and legal services use them constantly. That gives scammers a believable cover story.
Second, the action is simple. One button. One click. Minimal thinking. Phishing works best when the “next step” feels routine.
Third, the prize for the attacker is huge. A single stolen email login can lead to:
Password resets for your bank, PayPal, cryptocurrency exchange, or shopping accounts
Access to private documents and sensitive attachments
Contact lists that can be used to spread more phishing
Invoice fraud where scammers redirect upcoming payments
Identity theft using personal data found in your inbox
In short, the scam is not about one person clicking one link. It is about turning one click into a chain reaction.
What happens after they get your email access
Most victims assume the worst case is a stolen password. In reality, that is only the beginning.
Once scammers get into an email account, they often do several things quickly:
Search for keywords like “invoice,” “wire,” “payment,” “ACH,” “tax,” “payroll,” “purchase,” “QuickBooks,” “DocuSign,” “contract,” or “statement”
Set up hidden mail forwarding rules so copies of messages silently go to the attacker
Create mailbox rules that auto-archive or auto-delete security alerts
Use your mailbox to send believable phishing to your contacts
Attempt to access cloud storage accounts tied to your email, like Google Drive, OneDrive, or Dropbox
Attempt to reset passwords on other services using “Forgot password”
If you run a business, the risk gets bigger. Attackers specifically look for:
Billing conversations
Vendor payment instructions
Bank account details
Ongoing deals or orders they can hijack
This is how a simple “signature task” email turns into a costly financial attack.
Why the email often includes obvious mistakes
The phrase “Signature Task Assignd” looks wrong, and that is not a coincidence.
Many phishing emails include small errors like:
“Assignd” instead of “Assigned”
Awkward phrasing like “needs you to eSign the following document”
Inconsistent capitalization
Generic greetings, or a greeting that does not match your real name
A company name that appears legitimate but does not match the sender domain
Some scammers are simply sloppy. Others intentionally leave mistakes to filter for more impulsive victims. If you overlook a clear typo, you might also overlook other warning signs, like a strange website address.
Common themes and document lures
These scams tend to use document titles that feel plausible and time-sensitive. Examples include:
“2026 Engagement Letter”
“Updated Terms of Service”
“Payroll Adjustment Form”
“Direct Deposit Change”
“Invoice Due”
“Refund Confirmation”
“Tax Return Authorization”
“Contract Amendment”
“Policy Acknowledgment”
Scammers rotate these lures constantly. Your email might not say “engagement letter” at all. The structure stays the same, but the document name changes to match different targets.
Who gets targeted
Almost anyone can receive these, but certain groups are targeted more heavily:
Small business owners and managers
Freelancers and contractors
People who work with accountants, bookkeepers, or payroll services
People in HR, finance, or operations roles
Anyone who signs documents for work remotely
If you have ever signed something online, you are a viable target.
What makes the email look legitimate
These messages often mimic real portal notifications and use formatting tricks like:
A centered design with clean margins
A bold header and a clear call-to-action button
A footer with an address and a phone number
A note about using a “Client Portal mobile app”
A watermark across the message, suggesting it came from a branded system
Some even include a real business’s name, address, and phone number copied from public sources. That does not make the email authentic. It only means the scammers did their homework.
The most important thing to understand
The “Signature Task Assignd” email is not a harmless spam message.
It is a deliberate attempt to trick you into giving away:
Your email password
Your Microsoft 365 or Google Workspace login
Your multi-factor authentication code, in more advanced versions
Your personal details, if the form asks for them
If you treat it as a real signing request, you are giving the attacker exactly what they need.
How The Scam Works
Step 1: The scammer picks a believable “sender identity”
The attacker starts by choosing an identity that will not raise immediate suspicion.
The most common impersonations include:
Accounting and tax firms
HR departments
Legal offices
Property management companies
Vendors and suppliers
Payroll or benefits administrators
The scam often works best when it sounds like something you might receive during normal business.
Even if you have never heard of the company name in the email, the message is designed to make you think, “Maybe my accountant uses this portal,” or “Maybe this is for a service my workplace uses.”
Step 2: They deliver the email using mass sending tactics
These campaigns are usually sent at scale.
Attackers may use:
Compromised email accounts that already have a good reputation
Lookalike domains that resemble a real portal provider
Bulk mailing systems that rotate sender addresses
Spoofed display names that hide the real email address
Sometimes the “From” name looks trustworthy, while the actual sender address is clearly unrelated. Many people do not check the address. They see the friendly name and click.
Step 3: The message creates urgency and routine at the same time
Signature Task Assignd scam email reads as follows:
Re: Signature Task Assignd From: Accounting Creek HR
Signature Task Assignd
Hi xxxxx@xxxxxx.xx,
Your practitioner, Lynn Kasper, needs you to eSign the following document.
2026 Engagement Letter (xxxxxx.xx)
Please click the button below to sign, and provide your practitioner with the necessary information. This link will expire in 12 hours.
For security purposes please DO NOT forward this email. eSign now Victory Creek Accounting
Step 4: The button sends you to a phishing page
When you click “eSign now,” you are typically sent to one of these destinations:
A fake Microsoft 365 login page
A fake Google login page
A fake “Document Viewer” page that asks you to sign in to view the file
A compromised website hosting a phishing kit
A file-sharing style page that looks like OneDrive, SharePoint, or Google Drive
In many cases, the first page is a decoy “document” screen. It may show a blurred file preview and a login box.
This is intentional. It tells you, “This is a protected document, sign in to view.” People comply because protected documents are normal in business contexts.
Step 5: The scammer captures your credentials
If you enter your email address and password, the page submits it directly to the attacker.
From your point of view, one of several things might happen next:
It “loads” and says the document is unavailable
It refreshes and asks you to log in again
It redirects you to the real Microsoft or Google site so it looks like a glitch
It downloads a harmless PDF to distract you
This confusion is a feature, not a bug.
If the page asks you to log in twice, that can help the attacker confirm they captured the correct password. Many victims assume they mistyped the first time and try again.
Step 6: In advanced versions, they steal your multi-factor code too
Not all phishing is simple credential capture.
More advanced attackers use “reverse proxy” phishing tools that can:
Show you a live copy of the real login page
Pass your credentials to the real service in real time
Prompt you for your multi-factor code
Capture the session cookie after you successfully authenticate
If this happens, the attacker may be able to access your account even if you have multi-factor authentication enabled.
This is one reason you should treat any suspicious login attempt seriously, even if you “have 2FA.”
Step 7: They take over your email and lock you out
Once inside, the attacker may try to secure access by:
Changing your password
Adding their own recovery email or phone number
Creating app passwords (where allowed)
Registering new devices
Creating mailbox rules and forwarding
If you are using a work account, they may also attempt to access connected services like SharePoint, Teams, OneDrive, and internal portals.
Step 8: They monetize the access
This is where real damage happens.
Common monetization paths include:
Business email compromise and invoice hijacking
If your inbox contains invoices or vendor conversations, the attacker may jump into an existing thread.
They might write:
“Hi, our bank details changed, please send the payment to this new account.”
“Use this updated ACH form.”
“Here is the revised invoice.”
Because the email comes from your real account, the recipient trusts it.
This can lead to payments being sent to the scammer.
Identity theft using documents in your inbox
Many people keep scans and PDFs in email.
Attackers look for:
IDs
W-2s and tax forms
Utility bills
Bank statements
Password reset emails
Employment documents
If they find enough, they can attempt identity theft or account opening fraud.
Credential stuffing against other accounts
If you reuse passwords, your email password might work on:
Shopping accounts
Social media
Financial services
Hosting or domain registrars
Attackers will try it everywhere.
Spreading more phishing from your account
A compromised email account becomes a launchpad.
Attackers send the same “signature task” email to your contacts, coworkers, and clients. The messages are more convincing because they come from someone the recipient actually knows.
Step 9: They cover their tracks
Attackers often try to stay hidden as long as possible.
They may:
Delete security alerts
Auto-archive replies from victims
Add inbox rules that hide keywords like “password,” “fraud,” “scam,” or “phishing”
Keep forwarding running silently
This is why victims sometimes do not realize anything happened until days later, when someone reports a suspicious email “from them,” or a payment goes missing.
What To Do If You Have Fallen Victim to This Scam
If you clicked the link but did not enter anything, your risk is lower, but you should still be cautious.
If you entered your password or approved a login, assume your account is compromised until you prove otherwise.
Use this checklist in order.
Change your email password immediately Do this from a device you trust.If you cannot log in, move to account recovery right away. The priority is to regain control.
Turn on multi-factor authentication if it is not enabled Use an authenticator app where possible.If you already had multi-factor enabled, do not assume you are safe. Advanced phishing can bypass it.
Sign out of all sessions and revoke active logins Most email providers let you sign out everywhere.This can kick out an attacker who is still logged in with your session.
Check your email account settings for forwarding and hidden rules This step matters more than most people realize.Look for:
Automatic forwarding to an unfamiliar address
Inbox rules that move emails to Archive, Deleted, RSS, or another folder
Rules that hide or redirect messages containing banking keywords
Added “safe senders” or allowed domains you do not recognize
Remove anything you did not create.
Review recent account activity and connected devices Check recent logins, IP addresses, and device history.If you see logins from locations you do not recognize, document them with screenshots. You may need them later.
Change passwords for any important accounts tied to that email Prioritize accounts that can lead to money loss or identity theft, such as:
Banking and payment services
Shopping accounts with saved cards
Cloud storage (Drive, OneDrive, Dropbox)
Social media accounts
Domain registrars and website hosting
Payroll, accounting, and invoicing tools
Use unique passwords. Do not reuse your email password anywhere.
Contact your bank if you shared any financial information or suspect invoice fraud If you run a business, alert your accounting team too.If you have ongoing vendor payments, verify bank details using a known phone number, not one found in an email thread.
Watch for signs of identity theft If attackers accessed documents like tax forms or IDs, consider protective steps such as:
A fraud alert
A credit freeze
Monitoring of new account openings
The right step depends on your country and your risk level, but the goal is the same: block new credit from being opened in your name.
Scan your computer, but do not assume this was “just a virus” Many of these scams are pure phishing, not malware.Still, it is smart to run a reputable security scan, especially if the link downloaded anything.
Warn your contacts if the attacker emailed them from your account Keep it short and clear.
Tell them:
Your email was compromised
Do not click recent “document” or “signature” links from you
Delete the message
This prevents the attacker from spreading further.
Report the email to your provider and your workplace Use your email client’s “Report phishing” feature if available.
If this happened on a company account, notify IT immediately. Time matters.
If you entered credentials on a work account, assume connected systems are at risk Many workplaces use single sign-on.
If an attacker gets one login, they may gain access to:
Teams or Slack
Shared file storage
Internal HR portals
Customer records
Escalate quickly.
Is Your Device Infected? Scan for Malware
If your computer or phone is slow, showing unwanted pop-ups, or acting strangely, malware could be the cause. Running a scan with Malwarebytes Anti-Malware Free is one of the most reliable ways to detect and remove harmful software. The free version can identify and clean common infections such as adware, browser hijackers, trojans, and other unwanted programs.
Malwarebytes works on Windows, Mac, and Android devices. Choose your operating system below and follow the steps to scan your device and remove any malware that might be slowing it down.
Malwarebytes for WindowsMalwarebytes for MacMalwarebytes for Android
Run a Malware Scan with Malwarebytes for Windows
Malwarebytes stands out as one of the leading and widely-used anti-malware solutions for Windows, and for good reason. It effectively eradicates various types of malware that other programs often overlook, all at no cost to you. When it comes to disinfecting an infected device, Malwarebytes has consistently been a free and indispensable tool in the battle against malware. We highly recommend it for maintaining a clean and secure system.
Download Malwarebytes
Download the latest version of Malwarebytes for Windows using the official link below. Malwarebytes will scan your computer and remove adware, browser hijackers, and other malicious software for free.
(The above link will open a new page from where you can download Malwarebytes)
Install Malwarebytes
After the download is complete, locate the MBSetup file, typically found in your Downloads folder. Double-click on the MBSetup file to begin the installation of Malwarebytes on your computer. If a User Account Control pop-up appears, click “Yes” to continue the Malwarebytes installation.
Follow the On-Screen Prompts to Install Malwarebytes
When the Malwarebytes installation begins, the setup wizard will guide you through the process.
You’ll first be prompted to choose the type of computer you’re installing the program on—select either “Personal Computer” or “Work Computer” as appropriate, then click on Next.
Malwarebytes will now begin the installation process on your device.
When the Malwarebytes installation is complete, the program will automatically open to the “Welcome to Malwarebytes” screen.
On the final screen, simply click on the Open Malwarebytes option to start the program.
Enable “Rootkit scanning”.
Malwarebytes Anti-Malware will now start, and you will see the main screen as shown below. To maximize Malwarebytes’ ability to detect malware and unwanted programs, we need to enable rootkit scanning. Click on the “Settings” gear icon located on the left of the screen to access the general settings section.
In the settings menu, enable the “Scan for rootkits” option by clicking the toggle switch until it turns blue.
Now that you have enabled rootkit scanning, click on the “Dashboard” button in the left pane to get back to the main screen.
Perform a Scan with Malwarebytes.
To start a scan, click the Scan button. Malwarebytes will automatically update its antivirus database and begin scanning your computer for malicious programs.
Wait for the Malwarebytes scan to complete.
Malwarebytes will now scan your computer for browser hijackers and other malicious programs. This process can take a few minutes, so we suggest you do something else and periodically check the status of the scan to see when it is finished.
Quarantine detected malware
Once the Malwarebytes scan is complete, it will display a list of detected malware, adware, and potentially unwanted programs. To effectively remove these threats, click the “Quarantine” button.
Malwarebytes will now delete all of the files and registry keys and add them to the program’s quarantine.
Restart your computer.
When removing files, Malwarebytes may require a reboot to fully eliminate some threats. If you see a message indicating that a reboot is needed, please allow it. Once your computer has restarted and you are logged back in, you can continue with the remaining steps.
Once the scan completes, remove all detected threats. Your Windows computer should now be clean and running smoothly again, free of trojans, adware, and other malware.
If your current antivirus allowed this malicious program on your computer, you may want to consider purchasing Malwarebytes Premium to protect against these types of threats in the future. If you are still having problems with your computer after completing these instructions, then please follow one of the steps:
Malwarebytes for Mac is an on-demand scanner that can destroy many types of malware that other software tends to miss without costing you absolutely anything. When it comes to cleaning up an infected device, Malwarebytes has always been free, and we recommend it as an essential tool in the fight against malware.
Download Malwarebytes for Mac.
You can download Malwarebytes for Mac by clicking the link below.
When Malwarebytes has finished downloading, double-click on the setup file to install Malwarebytes on your computer. In most cases, downloaded files are saved to the Downloads folder.
Follow the on-screen prompts to install Malwarebytes.
When the Malwarebytes installation begins, you will see the Malwarebytes for Mac Installer which will guide you through the installation process. Click “Continue“, then keep following the prompts to continue with the installation process.
When your Malwarebytes installation completes, the program opens to the Welcome to Malwarebytes screen. Click the “Get started” button.
Select “Personal Computer” or “Work Computer”.
The Malwarebytes Welcome screen will first ask you what type of computer are you installing this program, click either Personal Computer or Work Computer.
Click on “Scan”.
To scan your computer with Malwarebytes, click on the “Scan” button. Malwarebytes for Mac will automatically update the antivirus database and start scanning your computer for malware.
Wait for the Malwarebytes scan to complete.
Malwarebytes will scan your computer for adware, browser hijackers, and other malicious programs. This process can take a few minutes, so we suggest you do something else and periodically check on the status of the scan to see when it is finished.
Click on “Quarantine”.
When the scan has been completed, you will be presented with a screen showing the malware infections that Malwarebytes has detected. To remove the malware that Malwarebytes has found, click on the “Quarantine” button.
Restart computer.
Malwarebytes will now remove all the malicious files that it has found. To complete the malware removal process, Malwarebytes may ask you to restart your computer.
After scanning, delete any detected threats. Your Mac should now be free from adware, unwanted extensions, and other potentially harmful software.
If your current antivirus allowed a malicious program on your computer, you might want to consider purchasing the full-featured version of Malwarebytes Anti-Malware to protect against these types of threats in the future. If you are still experiencing problems while trying to remove a malicious program from your computer, please ask for help in our Mac Malware Removal Help & Support forum.
Run a Malware Scan with Malwarebytes for Android
Malwarebytes for Android automatically detects and removes dangerous threats like malware and ransomware so you don’t have to worry about your most-used device being compromised. Aggressive detection of adware and potentially unwanted programs keeps your Android phone or tablet running smooth.
Download Malwarebytes for Android.
You can download Malwarebytes for Android by clicking the link below.
In the Google Play Store, tap “Install” to install Malwarebytes for Android on your device.
When the installation process has finished, tap “Open” to begin using Malwarebytes for Android. You can also open Malwarebytes by tapping on its icon in your phone menu or home screen.
Follow the on-screen prompts to complete the setup process
When Malwarebytes will open, you will see the Malwarebytes Setup Wizard which will guide you through a series of permissions and other setup options. This is the first of two screens that explain the difference between the Premium and Free versions. Swipe this screen to continue. Tap on “Got it” to proceed to the next step. Malwarebytes for Android will now ask for a set of permissions that are required to scan your device and protect it from malware. Tap on “Give permission” to continue. Tap on “Allow” to permit Malwarebytes to access the files on your phone.
Update database and run a scan with Malwarebytes for Android
You will now be prompted to update the Malwarebytes database and run a full system scan.
Click on “Update database” to update the Malwarebytes for Android definitions to the latest version, then click on “Run full scan” to perform a system scan.
Wait for the Malwarebytes scan to complete.
Malwarebytes will now start scanning your phone for adware and other malicious apps. This process can take a few minutes, so we suggest you do something else and periodically check on the status of the scan to see when it is finished.
Click on “Remove Selected”.
When the scan has been completed, you will be presented with a screen showing the malware infections that Malwarebytes for Android has detected. To remove the malicious apps that Malwarebytes has found, tap on the “Remove Selected” button.
Restart your phone.
Malwarebytes for Android will now remove all the malicious apps that it has found. To complete the malware removal process, Malwarebytes may ask you to restart your device.
When the scan is finished, remove all detected threats. Your Android phone should now be free of malicious apps, adware, and unwanted browser redirects.
If your current antivirus allowed a malicious app on your phone, you may want to consider purchasing the full-featured version of Malwarebytes to protect against these types of threats in the future. If you are still having problems with your phone after completing these instructions, then please follow one of the steps:
Restore your phone to factory settings by going to Settings > General management > Reset > Factory data reset.
After cleaning your device, it’s important to protect it from future infections and annoying pop-ups. We recommend installing an ad blocker such as AdGuard. AdGuard blocks malicious ads, prevents phishing attempts, and stops dangerous redirects, helping you stay safe while browsing online.
The Bottom Line
The “Signature Task Assignd” email scam is a modern phishing attack wrapped in a familiar workflow.
It looks like a routine e-signature request. It pressures you with a short expiration window. It pushes you toward a single button that feels safe to click.
But the real purpose is to steal your login and use your email as a doorway to money, data, and further fraud.
If you receive one of these emails, slow down. Do not use the button. Verify the request through a trusted channel, or go directly to the real service you normally use.
If you clicked or entered information, act immediately. Change passwords, review forwarding and rules, revoke sessions, and secure any connected accounts.
10 Rules to Avoid Online Scams
Here are 10 practical safety rules to help you avoid malware, online shopping scams, crypto scams, and other online fraud. Each tip includes a quick “if you already got hit” action.
Stop and verify before you click, log in, download, or pay.
Most scams win by creating urgency. Verify using a trusted method: type the website address yourself, use the official app, or call a known number (not the one in the message).
If you already clicked: close the page, do not enter passwords, and run a malware scan.
Keep your operating system, browser, and apps updated.
Updates patch security holes used by malware and malicious ads. Turn on automatic updates where possible.
If you saw a scary “update now” pop-up: close it and update only through your device settings or the official app store.
Use layered protection: antivirus plus an ad blocker.
Antivirus helps block malware. An ad blocker reduces scam redirects, phishing pages, and malvertising.
If your browser is acting weird: remove unknown extensions, reset the browser, then run a full scan.
Install apps, software, and extensions only from official sources.
Avoid cracked software, “keygens,” and random downloads. During installs, choose Custom/Advanced and decline bundled offers you do not recognize.
If you already installed something suspicious: uninstall it, restart, and scan again.
Treat links and attachments as untrusted by default.
Phishing often impersonates delivery services, banks, and popular brands. If it is unexpected, do not open attachments or log in through the message.
If you entered credentials: change the password immediately and enable 2FA.
Shop safely: research the store, then pay with protection.
Be cautious with brand-new stores, “closing sale” stories, and prices that make no sense. Prefer credit cards or PayPal for dispute options. Avoid wire transfers, gift cards, and crypto payments.
If you already paid: contact your card issuer or PayPal quickly to dispute the transaction.
Crypto rule: never pay a “fee” to withdraw or recover money.
Common patterns include fake profits, then “tax,” “gas,” or “verification” fees. Another is a “recovery agent” who demands upfront crypto.
If you already sent crypto: stop paying, save evidence (wallet addresses, TXIDs, chats), and report the scam to the platform used.
Secure your accounts with unique passwords and 2FA (start with email).
Use a password manager and unique passwords for every account. Enable 2FA using an authenticator app when possible.
If you suspect an account takeover: change passwords, sign out of all devices, and review recent logins and recovery settings.
Back up important files and keep one backup offline.
Backups protect you from ransomware and device failure. Keep at least one backup on an external drive that is not always connected.
If you suspect infection: do not connect backup drives until the system is clean.
If you think you are a victim: stop losses, document evidence, and escalate fast.
Move quickly. Speed matters for disputes, account recovery, and limiting damage.
Stop payments and contact: do not send more money or respond to the scammer.
Call your bank or card issuer: block transactions, replace the card if needed, and start a dispute or chargeback.
Secure your email first: change the email password, enable 2FA, and remove unfamiliar recovery options.
Secure other accounts: change passwords, enable 2FA, and log out of all sessions.
Scan your device: remove suspicious apps or extensions, then run a full malware scan.
Save evidence: screenshots, emails, order pages, tracking pages, wallet addresses, TXIDs, and chat logs.
Report it: to the payment provider, marketplace, social platform, exchange, or wallet service involved.
These rules are intentionally simple. Most online losses happen when decisions are rushed. Slow down, verify independently, and use payment methods and account controls that give you recourse.
Thomas is an expert at uncovering scams and providing in-depth reporting on cyber threats and online fraud. As an editor, he is dedicated to keeping readers informed on the latest developments in cybersecurity and tech.
