W-2 / Payroll Direct Deposit Fraud

How This Attack Works

In the payroll variant, attackers impersonate employees and send HR a direct deposit change request, routing the next paycheck to a criminal account. In the W-2 variant, someone impersonating a senior executive emails the HR or payroll team requesting all employee W-2 forms "for an audit," enabling mass identity theft and fraudulent tax filings.

Red Flags to Watch For

• ✗
  Direct deposit change request arrives by email without a callback verification step
• ✗
  Request originates from a personal Gmail or Hotmail address rather than a company account
• ✗
  Change request arrives just before a payroll processing cutoff date
• ✗
  Executive W-2 request comes from an email without an executive title or proper corporate signature
• ✗
  No multi-factor authorization process was followed before making the change
• ✗
  Employee claims urgency due to a personal emergency to bypass normal process

Known Malicious Domains

These domains have been associated with this attack. Never click links going to these addresses.

• hr-payroll-change.comMALICIOUS
• employee-direct-deposit.netMALICIOUS
• payroll-update-portal.comMALICIOUS
• w2-tax-form-request.netMALICIOUS

Glance automatically blocks emails from domains on this list. Domain list is not exhaustive — attackers register new domains continuously.