Cybersecurity Threat Alert – Social Engineering of Institutions’ IT Help Desk Personnel

Industry Letter

Date: September 27, 2024

To: All DFS-Regulated Entities

Re: Cybersecurity Threat Alert – Social Engineering of Institutions’ IT Help Desk Personnel

The New York State Department of Financial Services (DFS) alerts all regulated entities to take immediate action to thwart a cybersecurity threat currently being used to gain unauthorized access to information systems. DFS has seen evidence that threat actors are targeting IT help desks and call centers using, among other tactics, voice-altering technology in conjunction with information obtained on the internet about the identities of personnel to convince help desks to reset passwords and divert multi-factor authentication (MFA) to new devices.

In light of these risks, DFS-regulated entities must be on high alert for suspicious communications, especially via phone, and implement secure controls to prevent threat actors from easily changing passwords and intercepting SMS text or messaging applications to obtain MFA. IT and help desk personnel in particular must remain cautious of individuals or vendors requesting support related to accessing information systems.

Please alert personnel, especially those staffing help desks and call centers, about these potential social engineering attempts and ensure they are especially diligent in authenticating the identity of anyone requesting changes in authentication factors.

For further details and best practices, please refer to the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) guidelines on avoiding social engineering and phishing attacks: Avoiding Social Engineering and Phishing Attacks | CISA.