Executive Summary

Cybercriminals are capitalizing on a legitimate government program in New York State to conduct phishing and smishing (SMS phishing) campaigns. The New York State Department of Taxation and Finance has issued a public warning about fraudulent messages being sent to taxpayers regarding the state's inflation relief refund. These scams falsely claim that residents need to click a link and provide personal and financial information to receive their payment. The official program, however, is automatic and requires no action from taxpayers. This campaign is a classic example of social engineering, preying on public interest in a real-world event to steal sensitive information.

Threat Overview

The scam leverages a legitimate government initiative to gain credibility and trick potential victims.

• Attack Vector: The primary vectors are smishing (Spearphishing Link (T1566.002) via SMS) and email phishing.
• The Lure: The messages reference the real New York State inflation refund check, making the scam appear plausible.
• Social Engineering: The attackers create a false sense of urgency. One example message warns that failure to provide payment information by a deadline will result in "permanent forfeiture of this refund."
• The Goal: The malicious link in the message directs the victim to a phishing website designed to look like an official government portal. The site prompts the user to enter sensitive information, such as:
  • Full Name
  • Social Security Number (SSN)
  • Bank account details
  • Credit card numbers

Impact Assessment

Victims who fall for this scam face a high risk of identity theft and financial fraud.

• Identity Theft: With a victim's name, SSN, and other PII, criminals can open new lines of credit, file fraudulent tax returns, or commit other forms of identity fraud.
• Financial Loss: Stolen banking or credit card information can be used to make unauthorized purchases or drain bank accounts directly.
• Loss of Trust: Such scams can erode public trust in legitimate government communications and programs.

Detection & Response

• Government Action: The NYS Department of Taxation and Finance has issued public warnings through official channels and news outlets to raise awareness.
• Infrastructure Takedown: The fraudulent URL mentioned in one of the smishing examples was reportedly taken offline after being identified.
• User Awareness: The key to detection is recognizing the signs of a phishing attempt:
  • Unsolicited messages about financial matters.
  • A sense of urgency or threats.
  • Requests for personal information.
  • Links to unofficial-looking websites.

Mitigation

Public education is the primary defense against this type of broad-based phishing campaign.

• Trust Official Sources: The NYS government has stated that the legitimate refund checks are sent automatically. No application or submission of information is required. Taxpayers should only trust information from official government websites (ending in .gov).
• Do Not Click Links: Never click on links or call phone numbers in unsolicited text messages or emails regarding tax refunds or government payments.
• Verify Independently: If you are unsure about a message, contact the relevant government agency directly using a phone number or website you know to be legitimate. Do not use the contact information provided in the suspicious message.
• Report Scams: Report phishing attempts to the appropriate authorities, such as the FTC, the FBI's Internet Crime Complaint Center (IC3), and the government agency being impersonated. This is a form of User Training (M1017).