Industry Letter

Date:  February 06, 2026 

To: CISOs of DFS Regulated Entities

Re: Cybersecurity Advisory - Targeted “Vishing” Attacks

The New York State Department of Financial Services (“DFS”) is issuing this cybersecurity advisory to highlight an ongoing cyberthreat campaign involving vishing. Although this is not a new tactic, DFS is advising entities to be vigilant about the heightened use of this common tactic that continues to affect regulated entities.

Specifically, threat actors are posing as IT help desk staff in calls to personnel in order to steal login credentials and gain unauthorized access to information systems. They often use spoofed caller IDs when calling personnel on their personal and work phones. The threat actors then verbally direct personnel to use malicious links that take them to fake organization- or vendor-branded websites. Personnel who follow these directions unwittingly provide their login credentials and multi-factor authentication ("MFA") codes, which give threat actors remote access to company information systems.

To defend against these techniques, DFS-regulated entities should review their cybersecurity program to confirm compliance with all relevant sections of DFS Cybersecurity Regulation (23 NYCRR Part 500). Entities should take appropriate steps to mitigate risks related to vishing, including:

  • Identity Verification Procedures: Instead of relying on Caller ID, implement procedures for personnel to confirm the identity of individuals requesting credential resets, remote access, or other activity associated with information system access.
  • Targeted Awareness Training: Train personnel on common social engineering tactics, including the vishing technique in which threat actors are impersonating IT help desk and service providers.
  • Access Management: Regularly review access permissions to confirm that account access is limited to what is necessary and appropriate for job functions.
  • MFA Enrollment: Review existing MFA controls, including permissions for MFA enrollment.
  • Continuous Monitoring and Detection: Employ monitoring and alerting mechanisms to detect anomalous authentication activity and behaviors as well as for indicators of credential compromise.

Targeted training, early detection and swift incident response are essential to preventing or minimizing the impact of these attacks. If a company suspects that they may be a victim of a cybersecurity incident, the company should investigate and report to the FBI’s Internet Crime Complaint Center at https://www.ic3.gov/. In addition, companies should fulfill their reporting obligations to DFS under 23 NYCRR § 500.17, as well as reporting obligations under other state or federal laws.