The Office of Financial Management was notified that there’s been another payment redirect fraud incident related to an employee’s payroll direct deposit. In this incident, the email account used to submit the Authorization for ACH Direct Deposit form was disguised to look as if it were from the employee’s state agency email account.
What is needed?
We would like to remind payroll offices to stay vigilant and follow these suggestions:
After receiving the direct deposit form via email, call the employee to verify that it’s valid prior to keying the banking information into HRMS.
When speaking in person with employees, verification should include a non-sensitive challenge question that you can easily confirm, for example, asking the last time the employee took leave, or what year the employee started with the agency, or supervisor name.
Do not make account changes that were requested over the phone or email (without a form).
Do not reply to the original email – start a new email chain if the form was received via email.
Always provide written notification of the account changes to the employee.
Additional Resources
Tips from the Office of the State Treasurer are located here: