Chapter 32 Wiki

PERAC Memo #8 - 2026: Fraud Alert

Fraud Alert

View original on mass.gov →

Summary

PERAC is alerting boards to a fraud attempt where a bad actor used stolen personal information (name, date of birth, last four of SSN) to create a self-service portal account for a retiree and then requested a direct deposit change. The attempt was thwarted when the board independently contacted the retiree to confirm the request, which the retiree denied. Boards should review their security procedures, including: requiring matching email/phone on file to create portal accounts, fully hiding bank account numbers on deposit notices, reviewing IT quarantine procedures, and periodically auditing new portal account creation.

Full Text

Memorandum PERAC Memo #8: Fraud Alert Date: 01/20/2026 Referenced Sources: PERAC Website PERAC Memo #08 2026

To All Retirement Boards: TO: All Retirement Boards

FROM: Bill Keefe, Executive Director

RE: Fraud Alert

DATE: January 20, 2026

Please be advised of an attempted fraud scheme where a bad actor used stolen personal information to create an account in a retirement board self-service portal and then requested a change of direct deposit. The change was not made and no funds were lost. There were no breakdowns or errors in systems or procedures in this incident. It is further proof that criminals will continue to use new means with stolen personal information to perpetrate fraud.

This attempt was negated upon the retirement board following internal security procedures and contacting the retiree directly to confirm the requested change, which the retiree did not make. An initial email making the direct deposit request was placed in quarantine by the IT network. A second email was sent following up on the initial email, and it was then the IT provider notified the retirement board the email was being released for further scrutiny. The board then made the direct contact with the retiree. Further, upon reviewing the self-service portal log, the board could see that an account had recently been set up for that retiree, which the retiree also confirmed was not of their doing. Access to the retiree's self-portal account was then shut off.

This bad actor had sufficient stolen personal information in order to meet the thresholds for opening a portal account – name, date of birth and last four of the Social Security number – and for answering four identity verification questions. When inside the portal, the bad actor used the name of a bank and the last numbers of the account from a notice of deposit to appear to be authentic. Neither direct deposit change requests nor changes of address can be completed in the portal; a member or beneficiary must contact the retirement board which then independently confirms a request through direct contact with the member or beneficiary.

Action items for retirement boards to consider include:

boards collecting members' and beneficiaries' email addresses and phone numbers and requiring them to match the ones on file to set up a portal account; fully hiding, as opposed to partially, a bank account number on a notice of deposit; reviewing with your IT provider what triggers an item to be quarantined and procedures upon an item's release; continuing the independent direct contact with a member or beneficiary when a direct deposit request is made; and periodically reviewing new portal accounts created and portal usage. All involved in this thwarted attempt deserve credit for having solid procedures in place, following them, and notifying PERAC so this information could be shared.

Thank you all for your continued vigilance in cybersecurity and fraud prevention.