Electronic transfer of funds and direct deposit theft
Updated: Mar 27
Several departments have fallen victim to vendor electronic transfer of funds (EFT) or payroll direct deposit thefts, in which cyber criminals posing as vendors or employees request changes to EFT or direct deposit bank account information to divert funds from a current authorized account to a fraudulent bank account. Cyber criminals are very sophisticated and bold, calling department staff pretending to be vendors or employees and asking for a changes in payment information. The Office of the Comptroller urges all state agencies to review their internal controls to ensure that staff follow the current validation process:
Vendors Staff should follow the Vendor / Customer File and W-9s policy that requires that any EFT or banking information be personally validated with an authorized signatory of the vendor. Authorized signatories should be on file with the contract as part of the Contractor Authorized Signatory Listing Form.
Verify information with Vendor and Validate Authority for Change Departments should not merely accept and process whatever paperwork is submitted to them, but must ensure that they speak with an authorized signatory with the authority to make these changes in the legal address, tax identification number, legal address, EFT or remittance addresses to ensure the change is appropriate and properly authorized. Just because a person works for the payee does not mean they have the authority to approve a Form W-9 or a change in remittance address.
Payroll/Employees Many departments have successfully thwarted attempted thefts by implementing internal controls requiring employees to make changes through Self-Service Time and Attendance which requires two-factor authentication for direct deposit changes, or requiring face-to-face or other direct personal validation the employee. Additional internal controls should be implemented when changes are made through a centralized cluster or call center when staff have no direct interaction with the employees making the change and validation is more challenging.
The key to successful personal validation is NOT to rely on the contact information provided as part of a change request, but to look at the original contract, payroll information or other documentation on file already and validating with authorized signatories (vendor or employee). Cyber criminals often replicate official looking forms and use fraudulent contact emails and phone numbers to appear as if they are an employee or a vendor.
Notify CTREmergencyNotification@mass.gov to alert the Office of the Comptroller of any cyber, security or suspicious incident in addition to any other required notifications.
The Office of the Comptroller has created the Cyber Center and Cybersecurity Lessons Learned as resources for state entities to increase cyber readiness. Contact CTR-Risk.Management.Team@mass.gov for questions or assistance with internal controls.