Report Cyber Incidents, Suspicious Activity, and Fraud
It is important that Commonwealth of Massachusetts departments immediately report any cyber incidents or other suspicious activity to departmental IT staff, even if the activity or email seems innocuous. Malware and ransomware often go undetected at first, so it is always safe to have your IT and security staff double check.
Since employees of the Commonwealth of Massachusetts are often using enterprise systems, it is also critical to notify the Executive Office of Technology and Security Services (EOTSS) and the Office of the Comptroller (CTR) to ensure enterprise systems are protected. Ransomware and other viruses can quickly spread and disrupt operations and compromise data.
In the event of a breach of personally identifiable information, Commonwealth of Massachusetts departments are legally required to notify certain agencies and affected residents.
If You Suspect a Suspicious Email or Potential Security/Fraud Incident
IT / Cyber Department Resource
Immediately report to your internal designated IT/Cyber department resource to review email or activity and implement Incident Response Plan.
EOTSS (For Executive Departments)
This guide will outline the method for alerting the appropriate Executive Office of Technology Services and Security (EOTSS) personnel if you believe you have received a phishing email.
Office of the Comptroller
Report the nature of the incident or suspicious activity to the Office of the Comptroller at [email protected]. CTR can determine risks to enterprise systems and assist with internal controls and remediation. This includes suspicious emails, phishing attempts to misdirect payments or obtain credentials, or other fraud.
Additional Law Enforcement and Fraud Reporting
For fraud against a department, file a cyber-fraud report with the local police department in the city or town where fraud occurs.
Federal Bureau of Investigation
The FBI encourages reporting of suspicious activity, including cyber incidents or fraud.
Commonwealth of Massachusetts departments are required to report unaccounted for variances, losses, or financial shortages due to a cyber incident or other fraud to the State Auditor’s Office using this form.