This phish typically originates from a non-Cornell email address. The sender may appear as "[Spoofed Name] <workforce@efaxdesktopespace.com>" The attacker typically targets Human Resources or other administrative staff with the intent of socially engineering a fraudulent direct deposit change. Do not reply to the sender. Employees can self-manage payment elections in Workday.