Fake corporate finance or compliance department claiming the target's expense report contains a policy violation and requiring repayment of the disallowed amount via email link or face paycheck deduction — credential-harvest and payment-collection fraud; real expense violations are handled through authenticated expense management platforms, never cold email payment links.

Fake corporate finance, compliance, or accounts payable department (impersonating Concur, Expensify, Workday Expenses, Certify, Brex, Ramp, or generic "Corporate Finance") claiming the target has submitted an expense report containing a policy violation and requiring them to click a link to review the violation detail, repay the disallowed or non-compliant expense amount, or face paycheck deduction or disciplinary action — credential-harvest and payment-collection fraud targeting corporate employees. Real corporate expense policy violations are handled through authenticated expense management platforms and HR systems with supervisor approval workflows; cold emails claiming "expense report policy violation — repay disallowed amount via link or paycheck will be deducted" are payment-collection attacks exploiting employment anxiety. The threat of paycheck deduction or disciplinary action creates immediate urgency without requiring the victim to leave a workplace context. Distinct from paycheck-garnishment-legal-phish (court-order wage garnishment pretext) — this targets the corporate expense report / policy violation flagged / disallowed amount / repay via link or paycheck deduction pretext. Detection: expense report + policy violation + disallowed amount + repay via link + or paycheck deduction/disciplinary vocabulary + no List-Unsubscribe + no In-Reply-To + not protected sender. Trash score: +4. Source: GC1-R29; ACFE expense fraud report 2025; FTC workplace scam advisory; CISA corporate credential-harvest patterns; FBI IC3 BEC expense-fraud variant.