Fake UKG / Kronos workforce management and time and attendance platform subscription payment failed, licenses suspended, timekeeping and scheduling disabled, or workforce management access no longer active phishing

Phishing emails impersonating UKG (Ultimate Kronos Group) or Kronos claiming the workforce management and time and attendance platform subscription payment has failed, licenses are suspended, timekeeping and scheduling are disabled, or workforce management access is no longer active — directing them to update billing or restore access through a credential-harvesting portal. A distinct attack category targeting the workforce management platform used by organizations with large hourly workforces to manage time and attendance, shift scheduling, leave management, and labor analytics — UKG/Kronos suspension simultaneously stops all timeclock punches from being recorded, prevents managers from viewing real-time staffing levels, disables shift scheduling workflows, and blocks payroll-integration data exports, creating both immediate operational chaos and downstream payroll inaccuracies. Key facts: (1) UKG (formed from the merger of Ultimate Software and Kronos) serves 80,000+ customers ($15,000-$500,000+/year based on employee count) including Target, BMW, and Marriott as the dominant workforce management platform for hourly and shift-based workforces — Kronos Workforce Central and UKG Pro Workforce Management are the primary systems through which retail, manufacturing, healthcare, and hospitality organizations track every employee time punch, manage break compliance, enforce scheduling rules, and calculate labor costs in real time; (2) The 'workforce management licenses are no longer active' hook creates acute operational urgency for organizations with 24/7 operations: a UKG suspension that hits during a shift means timeclocks stop accepting punches — employees cannot clock in or out, managers cannot see who is working, and the labor management system that routes break coverage and overtime alerts goes offline; healthcare organizations that use UKG for nurse scheduling face immediate patient safety implications because the staffing visibility tool is offline; (3) The 'timekeeping and scheduling suspended' hook targets a specific pay period vulnerability: UKG integrates with payroll systems (ADP, Ceridian, Workday) by exporting approved timecard data at the end of each pay period; a UKG suspension that spans the end of a pay period means the payroll integration export cannot run and the payroll system does not receive time data for the period — the payroll team must manually reconstruct hours for every employee from paper timesheets or supervisor estimates; for a 10,000-employee distribution center, this is a multi-day manual effort; (4) The December and January attack window is specifically effective for UKG customers: many organizations run year-end shift schedule planning (for the holiday retail season and January manufacturing restarts) using Kronos; a suspension that hits during open enrollment for shift schedules, overtime sign-up, and vacation bidding creates maximum disruption because no new schedules can be published and existing schedules cannot be modified by managers; (5) UKG and Kronos credentials expose the complete workforce and labor compliance architecture: every employee time and attendance record including clock-in/clock-out times, break durations, overtime hours, and leave requests that are used for payroll processing and labor law compliance, all shift schedule configurations including manager approval histories and labor budget authorizations, employee availability patterns and scheduling preferences that reveal personal routines, labor cost analytics identifying the highest-cost departments and individuals, and integration credentials connecting UKG to payroll, HR, and ERP systems. Warning signs: sender not ukg.com or kronos.com or ultipro.com; genuine UKG billing at ukg.com/account or through direct customer success contact.