Some employment scams take an unexpected turn as cybercriminals shift from “hiring” to “firing” staff

Most of us are in a job or looking for one. Or both. That’s largely why employment and work-from-home scams are so popular among cybercriminals (and even some state-aligned threat actors). The schemes typically lure the user by offering amazing job or casual employment opportunities. But in reality, all the scammers usually want is your personal and financial information. In some cases, victims may even end up unwittingly receiving and re-shipping stolen goods, or allowing their bank accounts to be used for money laundering.

However, less-well known is the employment termination scam. This turns the idea on its head: using the threat of losing your job rather than the lure of gaining a new one to catch your attention. So what do they look like and how can you stay safe?

What do job termination scams look like?

At their simplest, job termination scams are a type of phishing attack designed to trick you into handing over your personal and financial information, or on clicking on a malicious link which could trigger a malware download. Social engineering tactics used in phishing aim to create a sense of urgency in the victim, so that they act without thinking things through first. And you can’t get more urgent than a notice informing you that you have been dismissed.

It could arrive in the form of an email from HR, or an authoritative third-party outside the company. It may tell you that your services are no longer required. Or it may claim to include details about your colleagues that are too hard to resist reading. The end goal is to persuade you to click on a malicious link or open an attachment, perhaps by claiming that it includes details of severance payments and termination dates.

Once you click through/open the attachment, you might find that:

With your work logins, adversaries could hijack your email or other accounts to access sensitive corporate data and networks for theft and extortion. And if you reuse those logins across multiple accounts, they may even be able to run credential stuffing campaigns to unlock those accounts, too.

Why do they work so well?

Termination scams are effective because they exploit the credulity of human beings, creating a sense of dread among the victim, and instilling an urgent need for action. You’d be hard pressed to find an employee that didn’t want to know more about their own termination, or potentially contrived details of supposed misconduct.

It’s no coincidence that phishing remains a top-three initial access tactic for ransomware actors and has contributed to a quarter (25%) of financially motivated cyber-incidents over the past two years.

In the wild

Several versions of this scam have been observed circulating in the wild. These include:

  • An email impersonating the UK’s Courts & Tribunals Service, purporting to contain a link to an employment termination document. Clicking through loads a spoofed website with the Microsoft logo designed to persuade the victim into opening it on a Windows device. It triggers a download of the Casbaneiro (aka Metamorfo) banking trojan.
  • An email purporting to come from the victim’s HR department, which claims to contain a staff termination list and details on new positions, as an attachment. Opening the fake PDF triggers a fake DocuSign login form requesting the victim enters their email address and password to access it.
job termination scam
Source: PCrisk

How to spot a job termination scam

As with any phishing attack, there are a few warning signs which should flash red if such an email ends up in your inbox. Take a deep breath and look out for giveaways such as:

  • An unusual sender address that doesn’t match the stated sender. Hover your mouse over the “from” address to see what pops up. It may be something completely different, or it could be an attempt to mimic the impersonated company’s domain, using typos and other characters (e.g., m1crosoft.com, @microsfot.com)
  • A generic greeting (e.g., “dear employee/user”), which is certainly not the tone a legitimate termination letter would take.
  • Links embedded in the email or attachments to open. These are often a tell-tale sign of a phishing attempt. If you hover over the link and it doesn’t look right, all the more reason not to click.
  • Links or attachments that don’t open immediately, but request you to enter logins. Never do so in response to an unsolicited message.
  • Urgent language. Phishing messages will always try to rush you into making a rash decision.
  • Misspellings, grammatical or other mistakes in the letter. These are becoming rarer as cybercriminals adopt generative AI tools to write their phishing emails, but they’re still worth looking out for.
  • Going forward, be on your guard for AI-aided schemes where scammers could use deepfake audio and video likenesses of actual people (that of your boss, perhaps) to trick you into giving up confidential corporate information.

Staying safe

To ensure you don’t get caught out by job termination scams, understand the warning signs listed above. And also consider the following:

  • Use strong, unique passwords for every account, ideally stored in a password manager
  • Be sure to switch on two-factor authentication (2FA) for an extra layer of access security
  • Make sure all of your work and personal devices are regularly patched and up to date
  • If your IT department offers, join regular phishing simulation exercises to understand what to look out for
  • If you receive a suspect message, never click on embedded links or open the attachment
  • Contact the sender through other channels if you’re concerned – but not by replying to the email or using the contact details listed on it
  • Report any suspect emails to your employer’s IT department
  • Check whether colleagues have received the same message

Employment termination scams have been around for some time. But if they’re still doing the rounds, they must still be working. Always be sceptical of anything hitting your inbox.