{"id":11381,"date":"2025-09-25T11:49:51","date_gmt":"2025-09-25T09:49:51","guid":{"rendered":"https:\/\/www.retarus.com\/blog\/en\/wenn-der-vermeintliche-ex-mitarbeiter-zur-cyberbedrohung-wird\/"},"modified":"2025-09-29T15:52:05","modified_gmt":"2025-09-29T13:52:05","slug":"bogus-emails-from-former-employees-pose-growing-cyber-threat","status":"publish","type":"post","link":"https:\/\/www.retarus.com\/blog\/en\/bogus-emails-from-former-employees-pose-growing-cyber-threat\/","title":{"rendered":"Bogus emails from \u201cformer employees\u201d pose growing cyber threat"},"content":{"rendered":"\n

Our email security experts have detected a rise in a sophisticated social engineering variant targeting companies, particularly their HR or payroll teams, with a scam that is difficult to detect at first glance.<\/p>\n\n\n\n

Alleged former employee sends new banking details<\/h2>\n\n\n\n

The modus operandi usually follows an identical course. Attackers use publicly accessible career networking platforms such as LinkedIn to research the details of individuals who, according to their profiles, have until recently been employed at the targeted company or have just started in a new position.<\/p>\n\n\n\n

Using a private address which appears legitimate from a technical perspective (e.g., Gmail or Yahoo), the attackers then send a message to the HR or payroll department at the person\u2019s previous employer.<\/p>\n\n\n\n

The mail generally purports that the former employee has changed their banking details and therefore requests that all open payments (e.g., salary, bonus, overtime or vacation payouts) be transferred to the new account.<\/p>\n\n\n\n

In follow-up messages, the scammers apply time pressure \u2013 typical for such attacks \u2013 or threaten the company with legal action.<\/p>\n\n\n\n

For the recipient in the company\u2019s HR or payroll department, the scenario seems entirely plausible at first glance, especially because former employees tend to use private email accounts rather than business addresses for such matters.<\/p>\n\n\n\n

\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n

Why conventional checks often prove insufficient<\/h2>\n\n\n\n

This has an impact on the technical detection options available. Email security solutions often concentrate on detecting fake sender addresses, for instance via SPF, DKIM, DMARC and block lists, as a first line of defense. In these cases, however, we\u2019re not dealing with typical domain spoofing (meaning a phony sender address) but rather with an address from a free email provider, which by its very nature has no connection with a corporate email domain. This makes it substantially more difficult to detect an attack based only on sender authenticity.<\/p>\n\n\n\n

That\u2019s why it\u2019s essential that companies rely on a state-of-the-art email security solution<\/a> which additionally employs AI-powered heuristics and pattern recognition.<\/p>\n\n\n\n

Increasing the security awareness of staff remains another key line of defense<\/h3>\n\n\n\n

Raising the awareness of staff regarding security risks of course continues to play a vital role. Employees should constantly be reminded to always question the validity of emails, even when they seem plausible.<\/p>\n\n\n\n

In the context of daily business, this means in practice:<\/p>\n\n\n\n