Fake Paylocity / Paycom mid-market payroll platform subscription payment failed, payroll licenses suspended, payroll processing disabled, or HCM access no longer active phishing

Phishing emails impersonating Paylocity or Paycom claiming the mid-market payroll platform subscription payment has failed, payroll licenses are suspended, payroll processing is disabled, or HCM access is no longer active — directing victims to update billing through a credential-harvesting portal. A distinct attack category targeting the two dominant mid-market payroll SaaS platforms that serve the 200-5,000 employee segment not well-served by legacy ADP/Workday: Paylocity (5,500+ clients at $50-200/employee/year, serving healthcare, retail, and professional services) and Paycom (35,000+ clients at $20-80/employee/year, one of the fastest-growing HR/payroll platforms). Both platforms are the single system where payroll runs, tax filings happen, and direct deposits execute — a suspension email creates immediate payroll liability. Key facts: (1) Paylocity serves the mid-market HCM segment with a unified platform covering payroll, time and attendance, benefits administration, talent management, and employee self-service — Paylocity's key differentiator is its 'On Demand Pay' (earned wage access) feature, making a suspension hook particularly acute because employees lose access to earned wages before payday; (2) Paycom built its market position on the 'Ask Here' self-service philosophy — employees manage their own payroll data — making a 'payroll processing will be suspended' hook credible to both HR administrators and the individual employees who received a Paycom account setup email; (3) Both platforms file payroll taxes on behalf of clients, so a suspension creates the same dual liability as ADP: missed employee direct deposits + potential IRS payroll tax deposit penalties; (4) Paycom's rapid growth (12,000+ new clients/year) means many clients are newly onboarded and are more susceptible to 'account suspension' phishing because they are still learning the platform's communication patterns. Warning signs: sender not paylocity.com or paycom.com; legitimate billing at paylocity.com/account or paycom.com/account.