No, you’re not dismissed – but beware of job termination frauds

AndyC 3 March 2025

Certain employment deceptions take an unforeseen twist as cyber offenders move from “recruiting” to “sacking” personnel

No, you’re not fired – but beware of job termination scams

Certain employment deceptions take an unforeseen twist as cyber offenders move from “recruiting” to “sacking” personnel

Phil Muncaster

Phil Muncaster

18 Feb 2025
 • 
,
5 min. read

No, you’re not fired – but beware of job termination scams

Most of us are employed or seeking jobs. That’s mainly the reason why work and remote work frauds are so attractive to cyber offenders (and even some state-aligned threat actors). These ploys typically entice the individual with fantastic job or part-time work offers. However, in reality, scammers usually aim to obtain your personal and financial details. In some instances, victims may unknowingly end up receiving and redirecting stolen goods, or allowing their bank accounts to be utilized for money laundering.

Nevertheless, less-known are the employment termination frauds. This inverts the concept: deploying the fear of losing your job instead of the enticement of acquiring a new one to seize your attention. So, what are their characteristics and how can you stay protected?

How do job termination deceptions appear?

At their core, job termination frauds are a form of phishing assault crafted to dupe you into surrendering your personal and financial details, or entice you to click on a malicious link that could initiate a malware download. Social engineering strategies employed in phishing aim to generate an urgency in the victim, prompting them to act without prior contemplation. And nothing incites urgency more than a notice stating that you have been let go.

This could manifest as an email from HR, or a reputable third-party external to the organization. It might inform you that your services are no longer needed. Or it might supposedly contain information about your colleagues that are too tempting to resist perusing. The ultimate objective is to coax you into clicking on a malicious link or opening an attachment, possibly by asserting that it includes data on severance payouts and dismissal dates.

Once you click/open the attachment, you may discover that:

By obtaining your work credentials, adversaries could seize control of your email or other accounts to access sensitive corporate data and networks for pilferage and extortion. If you utilize those logins across various accounts, they might even conduct credential stuffing operations to unlock those accounts as well.

What makes them so effective?

Termination deceptions are impactful as they capitalize on the naivety of humans, inducing a sense of panic in the victim, and instilling an immediate need for action. It’s difficult to find an employee who wouldn’t want more information regarding their own termination, or possibly fabricated specifics of alleged misconduct.

It’s no coincidence that phishing remains a top-three initial access tactic for ransomware actors and has contributed to a quarter (25%) of financially motivated cyber-incidents over the past two years.

In the wilderness

Several incarnations of this fraud have been observed circulating in the wild. These include:

  • An email imitating the UK’s Courts & Tribunals Service, alleging to contain a link to an employment termination document. Clicking on it leads to a spoofed website featuring the Microsoft logo fashioned to persuade the victim into opening it on a Windows device. This action triggers a download of the Casbaneiro (aka Metamorfo) banking trojan.
  • An email alleging to be from the victim’s HR department, purporting to contain a staff dismissal list and details on new roles, as an attachment. Opening the forged PDF results in a fake DocuSign login form requesting the victim to input their email address and password for access.
job termination scam
Source: PCrisk

How to detect a job termination scam

Similar to any phishing assault, there are a few indicators that should raise flags if such an email lands in your inbox. Take a moment and watch for giveaways such as:

  • An unfamiliar sender address that doesn’t match the stated sender. Hover your cursor over the “from” address to see what appears. It might be entirely different, or it could be an effort to mimic the impersonated company’s domain, utilizing typos and other characters (e.g., m1crosoft.com, @microsfot.com)
  • A generic salutation (e.g., “dear employee/user”), which is certainly not the approach a genuine termination letter would take.
  • Embedded links in the email or attachments to open. These are often an indication of a phishing attempt. If you hover over the link and it seems off, all the more reason to refrain from clicking.
  • Links or attachments that don’t open immediately, but request you to input logins. Never comply in response to an unsolicited message.
  • Pressing language. Phishing messages always strive to hurry you into a hasty decision.
  • Misspellings, grammatical errors, or other inconsistenciesIn the communication. These are becoming scarcer as cybercriminals embrace generative AI tools to compose their phishing emails, but they are still valuable to watch out for.
  • Moving forward, stay vigilant for AI-assisted schemes where fraudsters might utilize deepfake audio and video resemblances of real individuals (such as your supervisor) to deceive you into revealing sensitive corporate information.

Remaining secure

To ensure you are not ensnared by job loss scams, familiarize yourself with the aforementioned indicators. Additionally, consider the following:

  • Utilize robust, distinct passwords for each account, ideally secured in a password vault
  • Ensure to activate two-step verification (2FA) for added access security
  • Confirm all your professional and personal devices are routinely updated and patched
  • If your IT department provides, participate in regular phishing simulation drills to grasp what to be cautious of
  • If you receive a suspicious message, refrain from clicking on integrated links or opening the attachment
  • Reach out to the sender through alternate means if you are uneasy – but refrain from replying to the email or utilizing the provided contact information
  • Inform your company’s IT department of any questionable emails
  • Check if your colleagues have received the same message

Work termination scams have been in existence for a while. If they are still circulating, they must still be effective. Always exhibit skepticism towards anything that lands in your inbox.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

ESET Threat Report H2 2025

ESET Threat Report H2 2025

AndyC 17 December 2025
Black Hat Europe 2025: Was that device designed to be on the internet at all?

Black Hat Europe 2025: Was that device designed to be on the internet at all?

AndyC 16 December 2025
Black Hat Europe 2025: Was that device designed to be on the internet at all?

Black Hat Europe 2025: Was that device designed to be on the internet at all?

AndyC 16 December 2025
Black Hat Europe 2025: Was that device designed to be on the internet at all?

Black Hat Europe 2025: Was that device designed to be on the internet at all?

AndyC 16 December 2025
Black Hat Europe 2025: Was that device designed to be on the internet at all?

Black Hat Europe 2025: Was that device designed to be on the internet at all?

AndyC 16 December 2025
Black Hat Europe 2025: Was that device designed to be on the internet at all?

Black Hat Europe 2025: Was that device designed to be on the internet at all?

AndyC 16 December 2025

You may have missed

Hospital Ransomware Really is The Pitt

How CISOs Can Beat the Ransomware Blame Game 

AndyC 18 December 2025
Using AI to automatically cancel customers? Not a smart move

2026 Cyber Predictions: Accelerating AI, Data Sovereignty, and Architecture Rationalization 

AndyC 18 December 2025
Smashing Security podcast #448: The Kindle that got pwned

Smashing Security podcast #448: The Kindle that got pwned

AndyC 18 December 2025
What’s Powering Enterprise AI in 2025: ThreatLabz Report Sneak Peek

Private Certificate Authority 101: From Setup to Management

AndyC 18 December 2025
CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

AndyC 18 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.