Electronic Funds Transfer (EFT) fraud remains a threat
Requests to re-route electronic funds transfers (EFTs) to fraudulent accounts continue to be a favorite tactic of cybercriminals. This risk to the Commonwealth is currently elevated due to staff working remotely during the COVID-19 public health state of emergency.
Staff who receive a request for a change to a vendor’s EFT bank account information should view all such requests as high-risk. Staff processing any EFT account change request must follow the Vendor / Customer File and W-9s policy that requires that any EFT or banking information be personally validated with an authorized signatory of the vendor. Authorized signatories should be on file with the contract as part of the Contractor Authorized Signatory Listing Form. Staff must:
Independently confirm the identity of the requestor using contact information already on file, not what was provided electronically or by phone. If you have not dealt with this specific requester, contact another person of the vendor that you do know to validate that this person is authorized to request EFT changes.
Personally validate with the vendor that the change is legitimate using information and contacts already on file, not what was provided electronically or by phone.
Departments should never send or provide the requestor with any financial or otherwise sensitive information either over the phone or through email.
In the event a fraud attempt occurs the Comptroller may take any necessary actions to assist with remediation of the fraud, the recovery or funds, and if necessary, freezing security access to Enterprise Systems until the incident is resolved. Ensuring that staff are properly trained on validation protocols is a critical internal control to prevent fraud and theft of public funds.
Notify CTREmergencyNotification@mass.gov to alert the Office of the Comptroller of any cyber, security, or suspicious incident in addition to any other required notifications.
The Office of the Comptroller has created the Cyber Center and Cybersecurity Lessons Learnedas resources for state entities to increase cyber readiness. Contact CTR-Risk.Management.Team@mass.gov for questions or assistance with internal controls.