In early October, the Commonwealth of Massachusetts’ payroll system became compromised due to a credential harvesting campaign, a cyberattack technique where attackers steal personal or financial data from users. The system was effectively shut down and unavailable to employees for a number of days.
A fake website mimicking the Commonwealth’s payroll portal was sent to employees, with some believing it to be the legitimate site and entering their private login details. This gave threat actors unauthorized access to the employees’ user accounts and direct deposit information.
“There is no evidence indicating any compromise of the full system. The compromised accounts are the result of user error entering their credentials into a spoofed website,” according to an announcement posted to the Office of the Comptroller’s website, which also confirmed that all impacted parties had been contacted.
Cybercriminals often craft messages that mimic legitimate communications from trusted organizations, making it difficult for recipients to distinguish between genuine and fraudulent requests. These attacks exploit human vulnerabilities, prompting individuals to unwittingly share sensitive data, which can then be used to gain unauthorized access to systems and networks.
Cybersecurity starts with the end-user, and this incident highlights the importance of training employees to stay alert to potential threats.