dinero_admin Employment and remote work scams are very popular among cybercriminals. These often offer incredible job opportunities or temporary employment, although they are only interested in obtaining the personal and financial information of their victims. In this case, ESET, a leading proactive threat detection company, warns about a new, lesser-known scam: the layoff scam. In this case, the threat of losing the job, rather than the lure of getting a new one, is used to capture the attention of the potential victim.
“Layoff scams are a type of phishing attack designed to get their victims to share their personal and financial information or encourage them to click through a malicious link that could trigger a malware download. The social engineering tactics used in phishing are intended to create a sense of urgency in the victim, so that they act without thinking about it first, and the specific excuse is a notice of dismissal”, says Camilo Gutiérrez Amaya, head of the ESET Latin America Research Lab.
The deception may come in the form of an email from HR or an authorized third party outside the company. The email may mention that your services are no longer needed or purport to include details about colleagues that are hard to resist reading. The ultimate goal is to persuade the victim to click on a malicious link or open an attachment, perhaps claiming it includes details about severance pay and termination dates.
Once the attachment is clicked or opened, it is possible to discover that a covert malware installation is triggered or a request is made to enter login details on a fake phishing page. With work login data, cybercriminals could hijack email or other accounts to access sensitive corporate data and networks for theft and extortion purposes. In case those usernames are reused in different accounts, they could even conduct credential stuffing campaigns to unlock other logins as well.
“Termination scams are effective because they exploit people’s gullibility, creating a sense of fear in the victim and instilling in them an urgent need to act. It would be hard to find an employee who would not want to know more about his or her own termination or potentially contrived details of alleged misconduct. It is no coincidence that phishing remains one of the top three initial access tactics for ransomware authors and has contributed to a quarter (25%) of financially motivated cyber incidents over the past two years”, says ESET’s Gutierrez Amaya.
Different versions of this type of scam include:
An email posing as the UK Courts and Tribunals Service and supposedly containing a link to a redundancy document. When clicked, a fake website with a Microsoft logo designed to persuade the victim to open it on a Windows device loads. The download of the Casbaneiro banking Trojan (also known as Metamorfo) is triggered.
An email purporting to come from the victim’s human resources department and claiming to contain a list of layoffs and details about new positions. Upon opening the fake PDF, a fake DocuSign login form is triggered prompting the victim to enter their email address and password to log in.
As with any phishing attack, there are a few warning signs that should get your attention if you receive this type of email in your inbox:
An unusual sender address that does not match the stated sender. Hover over the sender address to see what comes up. It may be something completely different, or it could be an attempt to mimic the supplanted company’s domain, using typos and other characters (m1crosoft.com, @microsfot.com).
A generic salutation (“Dear Employee/User”), which is not the tone a legitimate termination letter would take.
Links embedded in the email or attachments to open. These are usually a telltale sign of a phishing attempt. If you hover over the link and it doesn’t look right, all the more reason not to click.
Links or attachments that do not open immediately, but ask for login information to be entered. Never respond to an unsolicited message of this type.
Urgent language. Phishing messages often try to rush the recipient into making a hasty decision.
Spelling, grammatical or other errors in the letter. These are becoming less common as cybercriminals adopt generative AI tools to compose their phishing messages, but they are still worth paying attention to.
In the future, be on the lookout for AI-assisted schemes where scammers could use audio and video impersonations of real people (such as a boss, for example) to trick you into providing sensitive corporate information.
To make sure you don’t fall into the trap of layoff scams, ESET shares different warning signs:
Use strong and unique passwords for each account, preferably stored in a password manager.
Make sure to enable two-factor authentication (2FA) for an additional layer of access security
Ensure that all personal and work devices are updated and patched on a regular basis.
If offered by the IT department, participate in periodic phishing simulation exercises so you know what to watch out for
If a suspicious message is received, never click on the embedded links or open the attached file
If you are concerned, contact the sender through other channels, but do not reply to the e-mail or use the contact details provided in the e-mail.
Report any suspicious messages to your company’s IT department.
Check to see if any colleagues have received the same message
“Layoff scams have been around for a long time. But if they are still circulating, they must still be operating. Always be wary of anything that arrives in your inbox,” concludes the ESET researcher.
You may also be interested in
ESET highlights the hidden risk in video games
