Industry Letter

Date:  January 22, 2026 

To: DFS-Regulated Entities and Individuals

Re: Cybersecurity Threat Alert – Email Phishing Scam Targeting DFS Regulated Entities

The Department of Financial Services (“DFS”) is alerting regulated entities and individuals to use caution before responding to outreach from individuals falsely claiming to represent DFS.

DFS recently became aware of phishing emails purporting to come from DFS personnel urging regulated entities to open files, make payments, and/or claims to share a file that is missing to prompt further engagement. DFS urges all regulated entities to closely review email header information, including the email address used to transmit the email.

Legitimate DFS emails will be sent only from [@]dfs.ny.gov or [@]public.govdelivery.com. At least some of the messages claiming to be from DFS were sent from [@]myportal.dfs.ny.gov.cazepost.com. Emails from this domain are not legitimate.

If you receive unexpected communications from DFS requesting immediate payment, to open an attachment, or to enter account credentials, you should confirm the legitimacy of the email before taking action. Do not use contacts or links provided in these communications. Instead, directly reach out to DFS via your primary point of contact or the DFS Consumer Assistance Unit.

As always, regulated entities and individuals should exercise caution when asked to provide sensitive information, open attachments, enter account credentials, change payment instructions, or issue payments. DFS urges regulated entities and individuals to continue regular personnel training and simulated phishing exercises in addition to technical controls such as email filtering and alerts for external emails.