I do know for a fact that Walmart is very much in bed with Salesforce but like you said, I am not comfy sending anything until I hear more about this or get another warning that looks legit.
THIS IS VERY STRANGE!
We just opened this account in November and went through the document shuffle. Nothing has changed.
This could be the same problem I had on Amazon where our bank / CC is not registered to the same address as the company / EIN.
Yeah never do anything you don’t feel comfortable with. That being said, if its a spoof, its a helluva spoof. Anything is possible.
Yes, it does look like it is from Walmart. It seems like all they need is a copy of the paperwork confirming the EIN for your business. Personally, I’d be fine replying with just that since anyone can look up my EIN and business info online with the state of Florida, so I wouldn’t be providing anything any random person couldn’t get on their own.
That was my thinking too actually. What good is a EIN # to anyone in terms of committing fraud?
I suppose it’s possible. I’d be really interested in knowing if anyone else here is seeing what I am on that Financial Setting Page before doing anything.
Seconded.
It’s not proven to be particularly unusual for Big Tech’s corporate behemoths, over the last decade and a ½ or so, to outsource this or that task to other corporate entities (e.g., Amazon is still promulgating ‘opt-out’ options which are only accessible via participation in a Qualtrics-hosted Satisfaction Survey, as it has done here & there since @ least 2017) - but if there’s ANY direct option possible, following that vector, and that alone - even if one need wait, interminably or not, for such to appear - has long been recommended as Best Practice by a multitude of experts in the account-security disciplines.
My assumption is that Walmart was even less prepared for this than Amazon (if that’s even possible) and they don’t have a workflow setup for it.
Regardless, this is really unprofessional if it’s real. This should be filtered through internal case logs the way Amazon does it.
But what happens when you go here??? If this link doesn’t work - click Tax profile on the screen you posted. It’s a link. Manage contacts is a separate link so don’t click there by accident.
That link just goes to the main “Welcome to Seller Central,…” home page.
Hmmmmmm…
When you click on Tax profile on that Admin option screen, it takes you home?
That’s odd
Because Steve’s link includes account-specific ‘taggants’ in the URL/URI structure, methinks.
There’s a reason why I’ve spilt so much ink over the years - most-recently in the last two ¶'s of this 5Jul23 SAS post - on the absolutely-crucial need to parse URLs to the ‘simplified default’ version before using them.
No, that was just clicking on your link from the post. 
The Tax Profile pages says my profile was submitted for review and any new changes will reflect after review by our team which may take up to 5-7 business days… then below the company, tax and business info…
OK… That’s what I have too!
FML
Putting this on the backburner until I hear more from Walmart or partner support in relation to my inquiry of the same.
Thanks everyone for the input here. Very helpful to have this community.
This looks pretty generic to me. I always check to make sure before I post links that they aren’t account specific. Weird.
If you hover over the link you posted or right click and copy it, this is where we are sent…
Who knows… 
“Client ID” is the ‘taggant’ to which I referred to in my reply to you upthread.
Let’s break down what each email header line means;
Reply-To: The email address the reply button uses
From: Displays the message sender (easy to spoof)
Content-type: Tells email client how to interpret the content of the email. The most common character sets are UTF-8 and ISO-8859-1.
MIME-Version: Declares the email format standard in use. (Typically 1.0.)
Subject: Subject Line
To: The intended recipient(s) AKA you
DKIM-Signature: DomainKeys Identified Mail authenticates the domain the email was sent from
Received: The “Received” line lists each server that the email traveled through to reach your client (Read “Received” lines from bottom to top; the bottom-most line is the originator.)
Authentication-Results: Contains a record of the authentication checks carried out; can contain more than one authentication method.
Received-SPF: The Sender Policy Framework (SPF) forms part of the email authentication process that stops sender address forgery.
Return-Path: The location where non-send or bounce messages are directed
ARC-Authentication-Results: The Authenticated Receive Chain is another authentication standard (ARC verifies the identities of the email intermediaries and servers that forward your message)
ARC-Message-Signature: The signature takes a snapshot of the message header information for validation, similar to DKIM.
ARC-Seal: “Seals” the ARC authentication results and the message signature, verifying their contents; similar to DKIM.
X-Received: Differs from “Received” in that it is considered non-standard; that is to say, it might not be a permanent address, such as a mail transfer agent or Gmail SMTP server.
X-Google-Smtp-Source: Shows the email transferring using a Gmail SMTP server.
Delivered-To: The final recipient of the email in this header.
The first Received in the full email header. Alongside the first Received line is the IP address of the server that sent the email. Sometimes X-Originating-IP or Original-IP. Find the IP address and enter it into MX Toolbox, change the search type to Reverse Lookup.
13.110.78.166
This email originated from a salesforce server and is highly likely to be legitimate.
Don’t want to work that hard, paste the whole email header into MX ToolBox header analyzer tool
Thank You and BOOKMARKED.
Nice little trick you have there.
Same! Great explainer @SawleMill. 
@ASV_Vites care to mark as the solution?
DONE!
