Fake employer or brokerage claiming the Employee Stock Purchase Plan (ESPP) enrollment or purchase window is closing imminently and requiring contribution update or banking details via email link before the window closes — credential-harvest; real ESPP changes are managed through authenticated HR portals, never cold email banking-detail requests.

Fake employer HR portal or brokerage (impersonating Fidelity NetBenefits, E*TRADE Corporate Services, Computershare, Charles Schwab Equity Award Center, or generic "Employee Benefits") claiming the target's Employee Stock Purchase Plan (ESPP) enrollment or purchase window is closing imminently and requiring them to click a link to confirm their contribution or update banking/payroll details before the window closes — credential-harvest attack targeting employees with equity compensation. Real ESPP enrollment and contribution changes are managed exclusively through authenticated employer HR portals or plan administrator platforms; cold emails with "ESPP enrollment window closes in 24-48 hours — update your contribution or banking details via link" are credential-harvest attacks. ESPP participants are prime targets because their accounts hold payroll ACH routing numbers, brokerage credentials, and employer-linked stock positions. Distinct from 401k-early-withdrawal-penalty-phish (retirement hardship withdrawal pretext) — this targets the ESPP / employee stock purchase / enrollment window closing / confirm contribution or update banking details pretext. Detection: ESPP/employee stock purchase plan + enrollment window closing + update contribution or banking details vocabulary + no List-Unsubscribe + no In-Reply-To + not protected sender. Trash score: +4. Source: GC1-R29; SEC investor alert on ESPP fraud; FTC employment benefit phishing advisory; CISA equity compensation credential-harvest patterns.