NYDFS Alert: ‘Vishing’ Attacks Targeting IT Help Desks on the Rise

New York’s DFS warns of a spike in sophisticated “vishing” attacks targeting IT help desks. Plus, a breakdown of the newly updated MFA FAQs and details on the upcoming Feb. 26 webinar to help regulated entities and third-party providers stay in compliance. For more on cybersecurity, attend ACA’s virtual Cybersecurity & Risk Forum March 3-5.

The New York Department of Financial Services (NYDFS) has issued a fresh warning to regulated entities following a spike in sophisticated “vishing” (voice phishing) campaigns. In these attacks, cybercriminals pose as IT help desk staff to trick employees into surrendering their credentials and bypassing security protocols.

How the Scam Works

According to the NYDFS advisory, the current campaign involves a highly coordinated three-step process:

• Impersonation: Threat actors call employees on both work and personal phones, often using spoofed caller IDs to make the call appear as if it is coming from an internal company extension or a known service provider.
• Social Engineering: The caller claims to be from the IT help desk and verbally directs the employee to a malicious link. This link leads to a fake, professionally branded login page that mimics the organization’s actual portal.
• Credential Theft: Once the employee enters their username and password, the attacker captures the data in real-time. They then prompt the user for their Multi-Factor Authentication (MFA) code, allowing the attacker to gain immediate, unauthorized remote access to the corporate network.

NYDFS Recommendations for Defense

To combat these techniques, the NYDFS urges organizations to review their compliance with 23 NYCRR Part 500 (PDF) and implement the following safeguards:

• Verified Identity Procedures: Move beyond relying on Caller ID. Establish a formal process for verifying the identity of any staff member requesting credential resets or remote access.
• Targeted Training: Conduct specific “vishing” awareness sessions. Employees should be taught that IT staff will rarely, if ever, ask them to navigate to a non-standard URL to sync or verify their MFA.
• Strengthen MFA Controls: Organizations should review their MFA enrollment permissions to ensure attackers cannot register new devices after stealing a password.
• Proactive Monitoring: Implement alerting systems to flag “anomalous authentication activity,” such as logins from unusual locations or at strange hours immediately following a password change.

The DFS reminds all regulated entities that if a vishing attempt results in unauthorized access, it must be reported to the DFS under 23 NYCRR Section 500.17 (PDF), in addition to filing a complaint with the FBI’s Internet Crime Complaint Center.

MFA Webinar & Compliance Reminders

The NYDFS’s final phase of its cybersecurity regulations took effect in November 2025. As the deadline approached, the department reported receiving questions from regulated entities regarding MFA requirements. To help, it is hosting a dedicated session to clear up confusion surrounding Section 500.12 of the requirements focused on MFA.

The NYDFS will host a webinar, “DFS Presents — Let’s Talk MFA,” on Thursday, Feb. 26, 2026, from noon to 1 p.m. EST.

This live session will dive into the nuances of the MFA requirements and give regulated entities a chance to hear directly from the department.

Register here if you are interested in attending. Space is limited, and registration will close on Feb.19, 2026.

The NYDFS has also updated its Cybersecurity FAQs (specifically questions 18–23). While the formal requirements of the regulation remain unchanged, these revised FAQs provide deeper guidance on how covered entities should configure their MFA systems to stay compliant.

Key Compliance Reminders:

• Material Compliance: If your organization has already documented and implemented risk-based controls based on the amended regulation, you are likely already in material compliance.
• Compensating Controls: Under Section 500.12(b), a chief information security officer may still approve the use of “reasonably equivalent” or more secure compensating controls in writing, provided they are reviewed annually.
• Continuous Assessment: The NYDFS emphasizes that an MFA strategy is not “set it and forget it.” Entities must continually evolve their controls to meet shifting technological risks.

ACA’s Take

A covered entity or regulated entity under New York’s financial services law means any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the banking law, the insurance law, or the financial services law, regardless of whether other government agencies also regulate the covered entity.

Of note for ACA International members, while collection agencies are generally not covered entities, they will likely qualify as a “third-party service provider” to a covered entity and therefore would be subject to the cybersecurity oversight requirements placed on covered entities.

Covered entities are defined in the NYDFS cybersecurity requirements (PDF) based on annual revenue and number of employees.

In related news, ACA recently reported that the NYDFS issued an urgent warning to all regulated entities regarding an ongoing active phishing campaign.

Fraudsters are currently impersonating DFS personnel through deceptive emails that urge recipients to open malicious files, make payments, or share sensitive account credentials.