Full Report
Some employment scams take an unexpected turn as cybercriminals shift from “hiring” to “firing” staff
Analysis Summary
# Incident Report: Employment Termination Phishing Scams
## Executive Summary
Cybercriminals are employing employment termination scams, a variation of phishing, to exploit employee fears and urgency regarding job dismissal. These attacks manifest as urgent emails, often from HR or third parties, directing victims to click malicious links or open dangerous attachments, leading to malware installation or credential harvesting via fake login pages. The primary impact is potential corporate network compromise through stolen work credentials, highlighting the effectiveness of social engineering in initial access.
## Incident Details
- **Discovery Date:** The general tactics were being observed and documented around February 18, 2025 (publication date of the analysis).
- **Incident Date:** Scams are ongoing and recurring.
- **Affected Organization:** Various organizations targeted globally (Scams observed in the wild).
- **Sector:** All sectors employing staff vulnerable to social engineering.
- **Geography:** Global (Examples cited involve UK services).
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing, whenever a targeted employee receives the communication.
- **Vector:** Targeted phishing emails leveraging social engineering focused on job termination threats.
- **Details:** Emails mimic official HR or third-party notices concerning termination, severance, or alleged misconduct, designed to create immediate urgency.
### Lateral Movement
- If work logins are compromised via fake phishing pages, adversaries could hijack email or other connected accounts, enabling access to sensitive corporate data and networks.
### Data Exfiltration/Impact
- Stolen work logins can be used for data theft and potential extortion.
- Reused credentials expose unrelated accounts via credential stuffing.
### Detection & Response
- **How it was discovered:** Through employee vigilance, IT intervention, or security analysis detailing the scam's circulation.
- **Response actions taken:** General security advice given includes verifying senders, refusing to click links, and contacting IT via alternate channels.
## Attack Methodology
- **Initial Access:** Phishing (Emails purporting to be termination notices).
- **Persistence:** Not explicitly detailed, but compromised accounts or installed malware (like Casbaneiro/Metamorfo) serve as persistence mechanisms.
- **Privilege Escalation:** Potentially through compromised work credentials granting access to broader corporate resources.
- **Defense Evasion:** Use of urgency-inducing social engineering to bypass critical thinking; imitation of legitimate corporate/legal documentation appearance.
- **Credential Access:** Harvesting credentials via fake DocuSign login forms or direct input into spoofed Microsoft-branded websites.
- **Discovery:** Emails may reference colleague terminations to increase temptation for the victim to investigate details.
- **Lateral Movement:** Using harvested work logins to access internal systems.
- **Collection:** Accessing sensitive corporate data via compromised accounts.
- **Exfiltration:** Data theft and extortion potential following account compromise.
- **Impact:** Account takeover, data loss, potential malware infection.
## Impact Assessment
- **Financial:** Potential costs associated with incident response, remediation, and potential extortion (Not specified in detail).
- **Data Breach:** Compromise of corporate data due to stolen work credentials; details of specific data types (HR, financial) are inferred based on credential targets.
- **Operational:** Risk of operational disruption if core systems or communication channels are compromised via harvested credentials.
- **Reputational:** Potential damage if sensitive employee or corporate data relating to terminations is exposed.
## Indicators of Compromise
* **Network indicators:** Malicious URLs prompting for login credentials (e.g., links pointing to spoofed login pages). (No live URLs provided).
* **File indicators:** Downloads initiated by clicking links, potentially leading to the Casbaneiro/Metamorfo banking trojan.
* **Behavioral indicators:** Unexpected requests for login credentials via email attachments or links, especially concerning sensitive corporate events like termination.
## Response Actions
- **Containment measures:** Refusing to click links or enter credentials in response to suspect emails. Isolating systems if malware is suspected to have downloaded.
- **Eradication steps:** If credentials were lost, immediate password resets and forcing MFA re-enrollment across all potentially affected accounts.
- **Recovery actions:** Restoring systems if malware was installed; engaging in communication reviews to ensure no sensitive data was exfiltrated.
## Lessons Learned
- **Key takeaways:** Phishing remains a top initial access vector (25% of financially motivated incidents). Scammers successfully exploit human fear and the urgent need to act on termination news.
- **What could have been done better:** Organizations must institute rigorous verification protocols for termination notifications, ensuring they never rely solely on email links or attachments.
## Recommendations
- **Prevention measures for similar incidents:**
1. Mandate strong, unique passwords for all accounts, utilizing a password manager.
2. Enforce Two-Factor Authentication (2FA) on all available corporate and personal accounts.
3. Maintain regular patching and updating of all work and personal devices.
4. Conduct regular phishing simulation exercises to train employees on spotting social engineering cues, especially those involving high urgency.
5. Establish a mandated, out-of-band verification process (e.g., calling the sender via a known internal number) for highly sensitive communications like termination notices.
6. Train employees to report all suspect emails immediately to the IT department.