Payroll Diversion / W-2 Fraud
Attack Trigger
Employee impersonation requesting a payroll direct-deposit account change
What Attackers Want
One or more full pay cycles — $2,000–$20,000 per employee targeted
How This Attack Works
Attackers impersonate an employee or HR personnel and request a change to direct deposit banking details. The new account belongs to the attacker, and the next payroll cycle deposits the victim's salary directly to the criminal. W-2 variants target tax preparers with fake requests to forward employee tax data.
Red Flags to Watch For
- ✗Direct deposit change request arrives by email alone without HR portal confirmation
- ✗Request comes from a personal email address rather than a company account
- ✗No callback verification process was followed before the change was made
- ✗Employee claims the request is urgent because rent is due or an emergency occurred
- ✗W-2 request from an "executive" asking for all employee tax forms by email
- ✗Change request arrives just before a payroll processing deadline
Known Malicious Domains
These domains have been associated with this attack. Never click links going to these addresses.
- hr-payroll-update.comMALICIOUS
- direct-deposit-change.netMALICIOUS
- payroll-portal-update.comMALICIOUS
- w2-employee-verify.comMALICIOUS
Glance automatically blocks emails from domains on this list. Domain list is not exhaustive — attackers register new domains continuously.
How Glance Stops This
- Domain similarity analysis catches lookalike sender addresses at millisecond speed
- SPF / DKIM / DMARC validation flags authentication failures before you ever see the email
- VirusTotal + Google Safe Browsing checks every link in real time
- Urgency language detection scores the email higher for manual review
- Known malicious domain blocklist updated continuously from live scan data
Don't wait to get hit.
Glance scans every incoming email against 12 detection layers — including the exact tactics described above — before it reaches your inbox.
Protect My Inbox — Free