No, you’re not fired – but beware of job termination scams
In recent months, hiring scams involving fake job interviews have been in the public eye. In such scams, threat actors induce the target to download malicious programs under the pretext of giving them material for a job interview or assessment. However, this is only one such vector that threat actors can exploit. Equally if not more dangerous is the job termination scam: an attack that plays upon the fear all employed individuals must sometimes have of losing their jobs.
The job termination scam is a form of social engineering attack meant to exploit the fear of its targets. Frequently it takes the form of a fraudulent email impersonating the HR department of the target’s employer, or it can also impersonate an authoritative third party. In either case, it will typically include a bait document that the email induces the target to download. This could purport to be details regarding severance pay, or it may be a list of all supposedly terminated employees. The goal is to get the target to access that bait document to begin an attack chain. The actual contents of the attack can vary, and multiple different cases have been observed in the wild using different methods. In one case, the fake PDF directed the target to a fake DocuSign login page to collect login information. In another case, a link to a fraudulent employee termination document led to the delivery of the Casbaneiro banking trojan.
These phishing attacks take advantage of the mental distress that can be caused by a potential termination to make targets more credulous. It is important to educate employees in the signs of a potential social engineering attack so that they can face these attacks with a cool head. In particular, employees should be reminded to always verify the address of such an email, as they can be spoofed. It is also critical to establish as a general policy that logins should not be required for unsolicited emails, and any that do so are likely to be phishing attempts.
