New York City is the latest victim forced to take a city payroll website offline and remove it from public access for almost a week now after dealing with a smishing incident.
The website was partially taken offline following the smishing campaign that allegedly involved messages sent to city workers asking them to activate multi-factor authentication, with a link to a phishing domain.
It wasn’t till after being contacted by POLITICO, who first reported the incident last week, the city warned the roughly 300,000 full time workers of the phishing campaign, but they did not mention that access to the New York City Automated Personnel System, Employee Self Service (NYCAPS/ESS) website (including essential tax forms) would be limited.
That action also came after the city’s largest agency, the Department of Education, sent an email to its employees on March 23rd, warning about “a new smishing” or SMS phishing campaign “targeting users of NYCAPS/ESS.”
“This (is) a user education issue to not fall prey to these scams, but the real site is antique & easily cloned,” said Naveed Hasan, a technology consultant and member of the city’s Panel for Education Policy.
Dave Ratner, CEO, HYAS had this to say:
“Smishing campaigns are becoming more commonplace, in part because of our increasing reliance and familiarity with automated systems that generate text messages, and in part because the rise of AI makes it so much easier to generate accurate-looking fakes. This trend will unfortunately continue and there are only two good ways to address it. The first involves increased training, education, and communication; the second involves the use of highly accurate Protective DNS systems which are capable of separating malicious from legitimate sites on the Internet and ensuring that individuals are not accidentally fooled.”
I have long argued for the use of either multi-factor authentication, or better yet password less authentication to stop this sort of thing from happening. But either has to be combined with user education and better checks to ensure “smishing” isn’t a successful attack vector.
Like this:
Like Loading...
Related
This entry was posted on April 9, 2024 at 8:53 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Smishing Attack Takes NYC Payroll Website Offline And Threatens Up To 300K With Identity Theft
New York City is the latest victim forced to take a city payroll website offline and remove it from public access for almost a week now after dealing with a smishing incident.
The website was partially taken offline following the smishing campaign that allegedly involved messages sent to city workers asking them to activate multi-factor authentication, with a link to a phishing domain.
It wasn’t till after being contacted by POLITICO, who first reported the incident last week, the city warned the roughly 300,000 full time workers of the phishing campaign, but they did not mention that access to the New York City Automated Personnel System, Employee Self Service (NYCAPS/ESS) website (including essential tax forms) would be limited.
That action also came after the city’s largest agency, the Department of Education, sent an email to its employees on March 23rd, warning about “a new smishing” or SMS phishing campaign “targeting users of NYCAPS/ESS.”
“This (is) a user education issue to not fall prey to these scams, but the real site is antique & easily cloned,” said Naveed Hasan, a technology consultant and member of the city’s Panel for Education Policy.
Dave Ratner, CEO, HYAS had this to say:
“Smishing campaigns are becoming more commonplace, in part because of our increasing reliance and familiarity with automated systems that generate text messages, and in part because the rise of AI makes it so much easier to generate accurate-looking fakes. This trend will unfortunately continue and there are only two good ways to address it. The first involves increased training, education, and communication; the second involves the use of highly accurate Protective DNS systems which are capable of separating malicious from legitimate sites on the Internet and ensuring that individuals are not accidentally fooled.”
I have long argued for the use of either multi-factor authentication, or better yet password less authentication to stop this sort of thing from happening. But either has to be combined with user education and better checks to ensure “smishing” isn’t a successful attack vector.
Share this:
Like this:
Related
This entry was posted on April 9, 2024 at 8:53 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.