Threat Intelligence Directory
Business Email Compromise

W-2 / Payroll Direct Deposit Fraud

Attack Trigger

Attacker impersonates an employee or HR officer to redirect salary or harvest W-2 tax data

What Attackers Want

Full pay cycle per employee ($2,000–$20,000) or mass W-2 data for fraudulent tax refunds

How This Attack Works

In the payroll variant, attackers impersonate employees and send HR a direct deposit change request, routing the next paycheck to a criminal account. In the W-2 variant, someone impersonating a senior executive emails the HR or payroll team requesting all employee W-2 forms "for an audit," enabling mass identity theft and fraudulent tax filings.

Red Flags to Watch For

  • Direct deposit change request arrives by email without a callback verification step
  • Request originates from a personal Gmail or Hotmail address rather than a company account
  • Change request arrives just before a payroll processing cutoff date
  • Executive W-2 request comes from an email without an executive title or proper corporate signature
  • No multi-factor authorization process was followed before making the change
  • Employee claims urgency due to a personal emergency to bypass normal process

Known Malicious Domains

These domains have been associated with this attack. Never click links going to these addresses.

  • hr-payroll-change.comMALICIOUS
  • employee-direct-deposit.netMALICIOUS
  • payroll-update-portal.comMALICIOUS
  • w2-tax-form-request.netMALICIOUS

Glance automatically blocks emails from domains on this list. Domain list is not exhaustive — attackers register new domains continuously.

How Glance Stops This

  • Domain similarity analysis catches lookalike sender addresses at millisecond speed
  • SPF / DKIM / DMARC validation flags authentication failures before you ever see the email
  • VirusTotal + Google Safe Browsing checks every link in real time
  • Urgency language detection scores the email higher for manual review
  • Known malicious domain blocklist updated continuously from live scan data

Don't wait to get hit.

Glance scans every incoming email against 12 detection layers — including the exact tactics described above — before it reaches your inbox.

Protect My Inbox — Free