No, you’re not fired – but beware of job termination scams

February 24, 2025

In recent months, hiring scams involving fake job interviews have been in the public eye. In such scams, threat actors induce the target to download malicious programs under the pretext of giving them material for a job interview or assessment. However, this is only one such vector that threat actors can exploit. Equally if not more dangerous is the job termination scam: an attack that plays upon the fear all employed individuals must sometimes have of losing their jobs.

The job termination scam is a form of social engineering attack meant to exploit the fear of its targets. Frequently it takes the form of a fraudulent email impersonating the HR department of the target’s employer, or it can also impersonate an authoritative third party. In either case, it will typically include a bait document that the email induces the target to download. This could purport to be details regarding severance pay, or it may be a list of all supposedly terminated employees. The goal is to get the target to access that bait document to begin an attack chain. The actual contents of the attack can vary, and multiple different cases have been observed in the wild using different methods. In one case, the fake PDF directed the target to a fake DocuSign login page to collect login information. In another case, a link to a fraudulent employee termination document led to the delivery of the Casbaneiro banking trojan.

These phishing attacks take advantage of the mental distress that can be caused by a potential termination to make targets more credulous. It is important to educate employees in the signs of a potential social engineering attack so that they can face these attacks with a cool head. In particular, employees should be reminded to always verify the address of such an email, as they can be spoofed. It is also critical to establish as a general policy that logins should not be required for unsolicited emails, and any that do so are likely to be phishing attempts.

More from Blackwired

April 30, 2025

Ransomware groups test new business models to hit more victims, increase profits

Ransomware groups adapt with new models; DragonForce decentralizes tools, Anubis shifts to extortion over encryption.

Read more
April 23, 2025

Researchers claim breakthrough in fight against AI’s frustrating security hole

CaMeL secures AI by isolating untrusted input, using dual LLMs and strict code control to block prompt injections.

Read more
April 16, 2025

The Rise of Precision-Validated Credential Theft: A New Challenge for Defenders

Precision-validated phishing targets specific emails, blocking others, evading detection and complicating traditional defenses.

Read more