DFS Publishes Cyber Alert for Email Phishing Attempts
If you received an email on January 22 (yesterday) that looked like it came from the New York State Department of Financial Services (DFS) and it had the department’s name in the subject line, here’s a tip: Delete it.
DFS sent out an alert last night warning the people and businesses it regulates that the emails are phony and likely a “phishing” attempt.
A phishing attempt is a tactic that cyber criminals use to fool a recipient into thinking that an email came from someone they trust. The email is a cover for the criminal’s attempt to steal information or infiltrate the recipient’s computer system.
The email that an associate in another part of the country forwarded to us purported to be from Melissa R. Caldwell. The salutation was simply the recipient’s name, not “Dear Steve Jones” or something like that. The message’s body said:
“The New York State Department of Financial Services is providing your firm with a document for review related to regulatory reporting requirements.
Due to timing considerations, the document is included as an attachment to this message.
No response is required by email unless stated within the document
Message delivery information
This message was distributed on behalf of the New York State Department of Financial Services using CazePOST, an email delivery service, to support delivery to a number of affected firms. The message content and attachment originate from the New York State Department of Financial Services.
**Important information**
* This message is sent from an authorized New York State Department of Financial Services email address
* The New York State Department of Financial Services will not request passwords, one-time passcodes, or credentials by email
If you are unable to open the email attachments, please respond to this email.
Thank you for your attention.”
The address that sent the email was “melissa.caldwell@myportal.dfs.ny.gov.cazepost.com.” The DFS alert stated, “Legitimate DFS emails will be sent only from [@]dfs.ny.gov or [@]public.govdelivery.com. At least some of the messages claiming to be from DFS were sent from [@]myportal.dfs.ny.gov.cazepost.com. Emails from this domain are not legitimate.” [Emphasis in original] The alert advised checking with your primary point of contact at DFS or the DFS Consumer Assistance Unit to confirm whether an email like this is legitimate.
This episode is a good reminder of how important cybersecurity practices are. The DFS cybersecurity requirements regulation mandates that all covered entities (including insurance agencies and brokerages) create and implement policies and procedures “for the protection of its information systems and nonpublic information stored on those information systems.” DFS has provided a template for a cybersecurity policy on its website, which is free for all to use. Your agency’s policies should include rules for all staff to follow when (not if) they receive suspicious emails.
The regulation requires covered entities to report to DFS when they experience a cybersecurity incident. Receiving a phishing email is not an incident you must report unless it has had a significant impact on your daily operations or resulted in the theft of non-public information.
Much more information on how to comply with this regulation, including the compliance filing that is due by April 15, is available in the Cybersecurity section of our website. Also, mark these upcoming webinars on your calendars:
- Ask Tim Anything About… Cyber Filing (Q&A), March 10, 2026, 10:00 AM
- Ask Tim Anything About… Cyber Filing (Demonstration of How to Complete the Compliance Filings), April 8, 2026, Time TBD
Cyber criminals are constantly coming after you. Be on your guard.
Topics
