Changeflow GovPing Financial Regulation Cybersecurity Advisory on Targeted Vishing Attacks
Priority review Guidance Added Final

Cybersecurity Advisory on Targeted Vishing Attacks

Favicon for www.dfs.ny.gov NY DFS Industry Letters
Published February 6th, 2026
Detected February 12th, 2026
Email

Summary

The New York State Department of Financial Services (DFS) issued a cybersecurity advisory highlighting an increase in targeted vishing attacks. Regulated entities are urged to review their cybersecurity programs and implement enhanced measures to protect against credential theft and unauthorized access.

View original document View source feed page

What changed

The New York State Department of Financial Services (DFS) has issued an industry letter warning regulated entities about an increase in targeted vishing attacks. Threat actors are impersonating IT help desk staff to trick personnel into revealing login credentials and multi-factor authentication codes via fake websites. This advisory emphasizes the need for entities to review and strengthen their cybersecurity programs in accordance with 23 NYCRR Part 500.

Regulated entities should implement robust identity verification procedures, conduct targeted awareness training on social engineering tactics, review access management and MFA enrollment, and enhance continuous monitoring and detection capabilities. Companies suspecting a breach must investigate, report to the FBI's Internet Crime Complaint Center, and fulfill their DFS reporting obligations under 23 NYCRR § 500.17.

What to do next

  1. Review cybersecurity programs for compliance with 23 NYCRR Part 500.
  2. Implement enhanced identity verification procedures for credential requests.
  3. Conduct targeted training for personnel on social engineering and vishing tactics.

Source document (simplified)

Industry Letter

Date: February 06, 2026

To: CISOs of DFS Regulated Entities

Re: Cybersecurity Advisory - Targeted “Vishing” Attacks

The New York State Department of Financial Services (“DFS”) is issuing this cybersecurity advisory to highlight an ongoing cyberthreat campaign involving vishing. Although this is not a new tactic, DFS is advising entities to be vigilant about the heightened use of this common tactic that continues to affect regulated entities.

Specifically, threat actors are posing as IT help desk staff in calls to personnel in order to steal login credentials and gain unauthorized access to information systems. They often use spoofed caller IDs when calling personnel on their personal and work phones. The threat actors then verbally direct personnel to use malicious links that take them to fake organization- or vendor-branded websites. Personnel who follow these directions unwittingly provide their login credentials and multi-factor authentication ("MFA") codes, which give threat actors remote access to company information systems.

To defend against these techniques, DFS-regulated entities should review their cybersecurity program to confirm compliance with all relevant sections of DFS Cybersecurity Regulation (23 NYCRR Part 500). Entities should take appropriate steps to mitigate risks related to vishing, including:

  • Identity Verification Procedures: Instead of relying on Caller ID, implement procedures for personnel to confirm the identity of individuals requesting credential resets, remote access, or other activity associated with information system access.
  • Targeted Awareness Training: Train personnel on common social engineering tactics, including the vishing technique in which threat actors are impersonating IT help desk and service providers.
  • Access Management: Regularly review access permissions to confirm that account access is limited to what is necessary and appropriate for job functions.
  • MFA Enrollment: Review existing MFA controls, including permissions for MFA enrollment.
  • Continuous Monitoring and Detection: Employ monitoring and alerting mechanisms to detect anomalous authentication activity and behaviors as well as for indicators of credential compromise. Targeted training, early detection and swift incident response are essential to preventing or minimizing the impact of these attacks. If a company suspects that they may be a victim of a cybersecurity incident, the company should investigate and report to the FBI’s Internet Crime Complaint Center at https://www.ic3.gov/. In addition, companies should fulfill their reporting obligations to DFS under 23 NYCRR § 500.17, as well as reporting obligations under other state or federal laws.

Related changes

Favicon for www.dfs.ny.gov New York Behavioral Health Treatment Access Campaign Launched
Routine Mar 12, 2026 NY DFS Press Releases Financial Regulation
Favicon for www.dfs.ny.gov Statement on FY 2027 Executive Budget Hearing
Routine Mar 12, 2026 NY DFS Press Releases Financial Regulation
Favicon for www.dfs.ny.gov New York Regulation for Buy Now, Pay Later Loans
Priority review Mar 12, 2026 NY DFS Press Releases Financial Regulation
Favicon for wid.cert-bund.de CPython Vulnerabilities Allow Remote Code Execution
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts
Favicon for wid.cert-bund.de Vim Vulnerability Allows Code Execution (CVSS 6.6)
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts
Favicon for wid.cert-bund.de FreeRDP Vulnerabilities - Remote Code Execution
Priority review Mar 13, 2026 CERT-Bund Security Advisories Vulnerability Alerts

Source

Favicon for www.dfs.ny.gov
NY DFS Industry Letters dfs.ny.gov/industry_guidance/industry_letters
Financial Regulation
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
State Insurance Departments (10 States)
Published
February 6th, 2026
Instrument
Guidance
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Financial advisers Insurers Public companies
Geographic scope
State (New York)

Taxonomy

Primary area
Cybersecurity
Operational domain
Compliance
Topics
Financial Services Social Engineering

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Financial Regulation alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when NY DFS Industry Letters publishes new changes.

Free. Unsubscribe anytime.