This phish can have costly consequences.  The hope is the HR person this was sent to will reply and request the information for the direct deposit account (of course the attacker's account).  This is a great reminder to take a good look at the sending address of the message (it was NOT the employee's Holy Cross email) and follow up not using any information or reply from the message.