{"id":1160,"date":"2024-10-10T10:00:52","date_gmt":"2024-10-10T14:00:52","guid":{"rendered":"https:\/\/blogs.duanemorris.com\/techlaw\/?p=1160"},"modified":"2024-10-10T10:00:54","modified_gmt":"2024-10-10T14:00:54","slug":"new-york-department-of-financial-services-issues-cybersecurity-threat-alert-as-malicious-activity-rises","status":"publish","type":"post","link":"https:\/\/blogs.duanemorris.com\/techlaw\/2024\/10\/10\/new-york-department-of-financial-services-issues-cybersecurity-threat-alert-as-malicious-activity-rises\/","title":{"rendered":"New York Department of Financial Services Issues Cybersecurity Threat Alert as Malicious Activity Rises"},"content":{"rendered":"\n<p>The New York Department of Financial Services (DFS)&nbsp;<a href=\"https:\/\/www.dfs.ny.gov\/industry-guidance\/industry-letters\/il20240927-cyber-alert-social-engineering\">published an alert<\/a>&nbsp;directed to all DFS-regulated entities specifically warning of a widespread cybersecurity threat involving social engineering of regulated institutions\u2019 IT help desk personnel and call center personnel.<\/p>\n\n\n\n<p>According to the&nbsp;<a href=\"https:\/\/www.dfs.ny.gov\/industry-guidance\/industry-letters\/il20240927-cyber-alert-social-engineering\">alert<\/a>, DFS has detected a trend in which threat actors have targeted IT personnel as a part of schemes to gain system access through password resets and diversion of multi-factor authentication (MFA) to new devices. According to DFS, threat actors have employed tactics including voice-altering technology and leveraging information found online about identities of individuals, in attempts to convince IT personnel at help desks and call centers to comply with fraudulent access requests.<\/p>\n\n\n\n<p>DFS cautions all regulated entities to be on \u201chigh alert for suspicious communications\u201d based on the observed threat actors\u2019 recent activity. Entities are encouraged by DFS to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>implement secure controls for password changing and\u00a0 MFA device configurations;<\/li>\n\n\n\n<li>exercise caution in authenticating the identity of anyone who tries to change a password or MFA device; and<\/li>\n\n\n\n<li>remain vigilant when receiving requests from individuals and vendors regarding system access.\u00a0<\/li>\n<\/ul>\n\n\n\n<p>DFS included a link to guidelines published by the U.S. Department of Homeland Security\u2019s Cybersecurity &amp; Infrastructure Security Agency (CISA). The guidelines from CISA (<a href=\"https:\/\/www.cisa.gov\/news-events\/news\/avoiding-social-engineering-and-phishing-attacks\">CISA: Avoiding Social Engineering and Phishing Attacks<\/a>) identify best practices to protect against these cyber threats, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Distinctions between common methods of social engineering employed by threat actors<\/li>\n\n\n\n<li>Common indicators of malicious activity disguised as a legitimate communication<\/li>\n\n\n\n<li>Proactive measures to minimize the risk of disclosing information and\/or permitting access to threat actors<\/li>\n\n\n\n<li>Guidance and resources on handling a cybersecurity compromise<\/li>\n<\/ul>\n\n\n\n<p>In addition to the CISA guidelines, NYDFS has a publicly available&nbsp;<a href=\"https:\/\/www.dfs.ny.gov\/industry_guidance\/cybersecurity\">Cybersecurity Resource Center<\/a>&nbsp;with more information and guidance for DFS-regulated individuals and entities.<\/p>\n\n\n\n<p><strong>For More Information<\/strong><\/p>\n\n\n\n<p>If you have any questions about this&nbsp;blog post, please contact&nbsp;<a href=\"https:\/\/www.duanemorris.com\/attorneys\/michellehondonovan.html\">Michelle Hon Donovan<\/a>,&nbsp;<a href=\"https:\/\/www.duanemorris.com\/attorneys\/arielseidner.html\">Ariel Seidner<\/a>,&nbsp;<a href=\"https:\/\/www.duanemorris.com\/attorneys\/milagrosastesiano.html\">Milagros Astesiano<\/a>, any of the&nbsp;<a href=\"https:\/\/www.duanemorris.com\/practices\/privacy_and_data_protectionRoster.html\">attorneys<\/a>&nbsp;in the&nbsp;<a href=\"https:\/\/www.duanemorris.com\/practices\/privacy_and_data_protection.html\">Privacy and Data Protection Group<\/a>,&nbsp;or the attorney in the firm with whom you are regularly in contact.<\/p>\n\n\n\n<p><em>Disclaimer: This blog post has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm\u2019s&nbsp;<\/em><a href=\"https:\/\/www.duanemorris.com\/site\/legal_notices.html\"><em>full disclaimer<\/em><\/a><em>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The New York Department of Financial Services (DFS)&nbsp;published an alert&nbsp;directed to all DFS-regulated entities specifically warning of a widespread cybersecurity threat involving social engineering of regulated institutions\u2019 IT help desk personnel and call center personnel. According to the&nbsp;alert, DFS has detected a trend in which threat actors have targeted IT personnel as a part of &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/blogs.duanemorris.com\/techlaw\/2024\/10\/10\/new-york-department-of-financial-services-issues-cybersecurity-threat-alert-as-malicious-activity-rises\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;New York Department of Financial Services Issues Cybersecurity Threat Alert as Malicious Activity Rises&#8221;<\/span><\/a><\/p>\n","protected":false},"author":504,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,1053],"tags":[1090,1212,47,197,8,1211,252,51,64,1214,823,1130,1215,683,694,695,784,6,1213,13],"ppma_author":[900,1140,1141],"class_list":["post-1160","post","type-post","status-publish","format-standard","hentry","category-infotechtelecom","category-security","tag-ariel-seidner","tag-cisa","tag-cyber","tag-cybersecurity","tag-data-breach","tag-financialregulation","tag-hackers","tag-hacking","tag-internet","tag-mfa","tag-michelle-hon-donovan","tag-milagros-astesiano","tag-multi-factor-authentication","tag-new-york","tag-new-york-department-of-financial-services","tag-nydfs","tag-phishing","tag-security","tag-social-engineering","tag-technology"],"authors":[{"term_id":900,"user_id":504,"is_guest":0,"slug":"mhdonovan","display_name":"Michelle Hon Donovan","avatar_url":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-content\/uploads\/sites\/17\/2021\/01\/honmichelle-100x100.jpg","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""},{"term_id":1140,"user_id":675,"is_guest":0,"slug":"aseidner","display_name":"Ariel Seidner","avatar_url":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-content\/uploads\/sites\/17\/2023\/12\/seidnerariel-100x100.jpg","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""},{"term_id":1141,"user_id":676,"is_guest":0,"slug":"mmastesiano","display_name":"Milagros Astesiano","avatar_url":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-content\/uploads\/sites\/17\/2023\/12\/astesianomilagros-100x100.jpg","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/posts\/1160","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/users\/504"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/comments?post=1160"}],"version-history":[{"count":0,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/posts\/1160\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/media?parent=1160"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/categories?post=1160"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/tags?post=1160"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/ppma_author?post=1160"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}