Massachusetts payroll system attacked via phishing campaign

The Office of the Comptroller in Massachusetts is investigating a credential harvesting cyberattack that affected the state's Employee Self-Service Time and Attendance (SSTA) system.

The attack involved a phishing website designed to mimic the state's official portal, tricking some state employees into entering their usernames and passwords​. This allowed attackers to gain unauthorized access to employees' accounts, specifically targeting direct deposit information​.

After the breach was detected, the state temporarily disabled the official payroll system to secure employee information and alerted those potentially affected​.

The state's payroll process remains operational, and payments to employees will continue as scheduled. As a precaution, recent changes to direct deposit details will be reverted to paper checks until the investigation is complete​.

Investigators are still working to determine how employees were directed to the fraudulent site and how many individuals were affected. The comptroller’s office emphasized that there is no evidence of a compromise to the broader system, attributing the incident to user error—employees entering their credentials into the spoofed website​.