State employees fooled by a fake payroll website farming their data

It remains unclear how many employees were affected by the scam.

A phony payroll website tricked some state employees and stole their personal or financial data.

The Office of the Comptroller is investigating a “credential harvesting campaign” that involved the state’s employee self-service time and attendance system.

A credential harvesting campaign is a cyberattack technique that involves stealing personal or financial data from users.

The comptroller’s office says that the cyberattackers created a fake website that appeared like the state’s official portal in this case. Some employees used the website, believing it to be the correct website. Employees entered their username and password, allowing unauthorized access to their user account and direct deposit information.

The state temporarily disabled the official website for timekeeping as a precaution to secure state employee information.

The state says there is no evidence that the official system was compromised. The compromised user accounts were due to user error while entering their credentials into the spoofed website.

The state has alerted all potentially impacted employees.

“We are still trying to determine how many employees were affected,” wrote Michael Sangalang, chief communications officer for the comptroller, in a statement to Boston.com. “Many recent direct deposit account changes were in fact legitimate, and we are in the process of determining which of those changes were legitimate and which were not.”

He wrote that the comptroller is also still trying to ascertain how the cyberattackers directed employees to the fake website.

State employees’ payroll will not be affected. However, out of caution, payroll directors at all the state departments were informed that users with recent direct deposit changes would receive paper checks.

Beth Treffeisen is a general assignment reporter for Boston.com, focusing on local news, crime, and business in the New England region.