NYDFS Releases Cybersecurity Alert Over Rising Email Scam Threats

Author:

 What NYDFS Warned About

On January 22, 2026, the New York State Department of Financial Services (NYDFS) issued a cybersecurity alert notifying regulated entities and individuals that a phishing email scam is circulating that fraudulently claims to be from NYDFS staff. (ilsainc.com)

 Scam Technique

  • Scammers are sending emails pretending to be NYDFS personnel asking regulated entities to:
    • Open attachments or files
    • Make payments
    • Provide credentials or sensitive information
      These kinds of requests are classic phishing tactics used to harvest credentials or introduce malware. (ilsainc.com)
  • Some phishing emails were sent from deceptive domains like “myportal.dfs.ny.gov.cazepost.com.”
    NYDFS stressed that legitimate communications will only come from addresses ending in “@dfs.ny.gov” or “@public.govdelivery.com.” (JD Supra)
  • Emails using unofficial or spoofed domains are not legitimate communications from NYDFS and should not be trusted. (ilsainc.com)

 Who Is Targeted

  • The alert is directed at NYDFS‑regulated entities, which include:
    • Banks
    • Insurers
    • Credit unions
    • Other financial services organisations that NYDFS supervises
      These groups receive official communications from NYDFS as part of licensing, compliance, and reporting requirements. (Insurance Journal)
  • The scam appears designed to exploit trust in official regulatory communications by mimicking official email formatting and sender details. (JD Supra)

 NYDFS Guidance to Recipients

The alert includes several practical warnings and steps for regulated entities and individuals:

 Confirm Before Acting

  • Verify legitimacy of unexpected emails before clicking links, opening attachments, or responding.
  • Do not use contact info provided in suspicious emails — instead, reach out directly to your known NYDFS contact point. (ilsainc.com)

 Know Official Email Domains

NYDFS emphasised that legitimate emails will only originate from:

  • @dfs.ny.gov
  • @public.govdelivery.com
    Emails from other domains should be treated as suspicious. (JD Supra)

 Exercise Caution With Sensitive Requests

  • Avoid providing credentials, making payments, or opening attachments if the source can’t be confirmed. (ilsainc.com)

Strengthen Training & Defenses

  • NYDFS encouraged entities to train personnel on phishing detection, use email filtering, and maintain incident response preparedness, including simulated phishing exercises and technical protections. (ilsainc.com)

 Why This Alert Matters

 Rising Phishing Threats

Phishing — deceptive emails that trick recipients into revealing sensitive information — continues to be one of the most common and costly cyber threats to organisations. Scammers increasingly impersonate regulators and trusted organisations to avoid detection. (its.ny.gov)

 Regulatory Importance

NYDFS supervises thousands of entities in the financial sector. A successful scam involving credential theft, fraudulent payments, or malware deployment could have significant operational and compliance implications for regulated firms. (Insurance Journal)

 Comments and Reactions

 Cybersecurity Experts

Many security professionals see this alert as a reminder that phishing attacks remain highly sophisticated:

  • Threat actors often spoof familiar names and branding to make emails look legitimate.
  • Scammers may change domains, sender names or email content over time, making detection harder. (its.ny.gov)

This means that verification and technical email filtering remain critical lines of defense.

 Summary

NYDFS has issued a cybersecurity alert warning about an ongoing email phishing campaign in which scammers impersonate NYDFS personnel and use deceptive email domains to lure regulated entities into opening attachments, sharing credentials, or making payments. (JD Supra)

The alert emphasises that:

  • Legitimate NYDFS emails only come from official domains,
  • Any unexpected requests for sensitive actions should be verified independently,
  • Organisations should reinforce training and email security practices to guard against phishing. (JD Supra)

Here’s a detailed, case‑based look at the NYDFS cybersecurity alert about rising email scam threats, including real examples and what commentators are saying on the issue:

 What the NYDFS Alert Says

On January 22, 2026, the New York State Department of Financial Services (NYDFS) issued a cybersecurity threat alert warning that phishing emails impersonating NYDFS personnel are circulating and targeting companies and individuals that the agency regulates. (JD Supra)

 How the Scam Works

  • Emails are falsely claiming to be from NYDFS and typically urge recipients to take actions such as opening attachments, making payments, or providing credentials. (JD Supra)
  • Some scam messages appear to come from suspicious domains like @myportal.dfs.ny.gov.cazepost.com — which NYDFS specifically says is not legitimate. (JD Supra)
  • Official NYDFS emails only come from @dfs.ny.gov or @public.govdelivery.com, so any other sender should be treated with caution. (Insurance Journal)
  • The alert reminds recipients not to use links or contact information included in suspicious emails but to contact DFS directly through known, legitimate channels before responding. (Ilsa Inc.)

This alert was released because regulated entities and individuals — such as banks, insurers, credit unions and other financial firms — are frequent targets for phishing campaigns and could be misled into providing sensitive information or making improper payments. (Insurance Journal)

Case Studies: How These Scams Play Out

 Case Study 1 — Impersonation of Official Regulators

In this alert, scammers specifically pretended to be NYDFS staff, using carefully crafted domains and official‑looking text to trick recipients into opening malicious attachments or sharing credentials. (JD Supra)

This is a classic phishing technique where attackers build trust by mimicking a real authority — in this case, a high‑profile regulator — attempting to increase the likelihood that recipients will engage with dangerous content. (Ilsa Inc.)

 Case Study 2 — Attachment and Credential Traps

Some emails urged regulated entities to open files, make payments or “share a missing file” to prompt engagement. These hooks are typical of email scams designed to harvest login credentials or deliver malware if attachments are opened. (Ilsa Inc.)

These kinds of schemes reflect broader patterns seen in other phishing campaigns — like fake Notices of Electronic Filing (NEFs) in legal circles or campaigns impersonating financial regulators — where initial contact looks official but leads to malicious outcomes. (Northern District Bankruptcy Court)

NYDFS Guidance and Best Practices

As part of the alert, NYDFS urges regulated entities to:

 Verify Legitimate Communications

  • Always check the sender domain. Legitimate NYDFS emails will end in @dfs.ny.gov or @public.govdelivery.com; anything else — such as unfamiliar or elongated domains — should be treated as suspicious. (Ilsa Inc.)

 Confirm Unexpected Requests

  • Before responding to any request to open attachments, provide credentials, make payments or change account details, contact your known NYDFS representative directly. (Ilsa Inc.)

 Strengthen Internal Defenses

  • NYDFS also advises continued personnel training on phishing, simulated phishing exercises and technical protections like advanced email filtering to help spot and block scam attempts. (Ilsa Inc.)

The guidance aligns with general phishing prevention tips — such as being wary of emails that ask for sensitive data, unusual payment instructions, or attachments from unverified sources — which are common red flags in cybersecurity alerts. (OITS)

Comments and Industry Perspectives

 Cybersecurity Expert Views

Security professionals highlight that email remains one of the most common attack vectors for scams and intrusions because it is easy for attackers to spoof addresses, use familiar branding, and manipulate users into clicking malicious links or handing over credentials. This alert underscores that trend. (OITS)

Experts also note that attackers increasingly combine social engineering — exploiting trust in official institutions — with technical spoofing techniques to make scams harder to spot. Regular training and heightened vigilance are therefore critical. (OITS)

 Public and Professional Reactions

Although the NYDFS alert is aimed at regulated entities, broader discussions online about phishing and email scams — including threads where people share suspicious emails and seek validation — show how confusing and convincing these scams can be for recipients. People often rely on familiar logos or seemingly official domain strings, which scammers mimic to trick even savvy users. (Reddit)

Sites like government scam pages and consumer forums also remind the public that legitimate authorities will not ask for sensitive personal information or payment via unsolicited email, echoing NYDFS’s warning. (NYSenate.gov)

Summary

  • NYDFS issued a cybersecurity alert on January 22, 2026 warning about phishing emails impersonating NYDFS officials targeting regulated entities. (JD Supra)
  • Scammers are using deceptive domains and urging actions like opening attachments, making payments, or sharing credentials — which NYDFS says are not legitimate communications. (Ilsa Inc.)
  • The agency emphasized verifying sender domains, confirming unexpected requests through known contacts, and bolstering anti‑phishing training and email security tools. (Insurance Journal)
  • Cybersecurity professionals and public commentators stress ongoing threats from phishing campaigns that increasingly target both corporate and individual inboxes with sophisticated, trust‑based tricks. (OITS)

 

Categories: Digital Marketing, News