Executive Summary
In October 2025, a coordinated smishing campaign targeted New York State residents with fraudulent text messages purporting to be from the Department of Taxation and Finance. The attackers claimed recipients were eligible for an 'Inflation Refund' and directed them to a phishing site impersonating an official state portal, where victims were prompted to submit sensitive personal data—name, address, email, phone number, and Social Security Number—under the guise of processing their refund. This malicious operation seeks to steal identities and facilitate extensive financial fraud. Government officials swiftly issued warnings, clarifying that legitimate refunds required no action from residents and urging vigilance.
This incident is a stark reminder of the increasing sophistication of SMS phishing (smishing) attacks, which blend timely government programs with social engineering techniques. The campaign highlights the persistent risk posed by identity-centric attacks, especially as digital fraudsters exploit widespread economic uncertainty and official-sounding initiatives.
Why This Matters Now
With economic relief programs increasingly in the news, threat actors are leveraging these themes to carry out convincing smishing campaigns that put sensitive personal information at major risk. Organizations and individuals must remain alert to the evolving tactics and timing of phishing attacks tied to real-world events.
Attack Path Analysis
Attackers initiated the campaign via targeted SMS phishing messages to New Yorkers, tricking victims into clicking malicious links and submitting sensitive data. While privilege escalation was not technically a factor, the compromise of personal information enabled fraudsters to impersonate victims or access accounts through stolen credentials. No evidence of lateral movement within cloud or enterprise environments was found, but attackers may attempt to exploit gathered data in other systems. Collected information is relayed back to attacker-controlled infrastructure for use in fraud and possible sale on underground forums. The impact includes identity theft, financial fraud, and long-term consequences for affected individuals.
Kill Chain Progression
Initial Compromise
Description
Attackers sent convincing SMS phishing ('smishing') messages impersonating the NY Department of Taxation and Finance, prompting recipients to click a malicious link.
MITRE ATT&CK® Techniques
Phishing: Spearphishing via Service
User Execution: Malicious Link
Gather Victim Identity Information: Credentials
Gather Victim Identity Information: Personal Identifiers
Valid Accounts
Email Collection
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security Awareness Education
Control ID: 12.6.1
NYDFS 23 NYCRR 500 – Limitations on Data Retention
Control ID: 500.13
CISA Zero Trust Maturity Model 2.0 – Verify Explicitly – User & Entity Authentication
Control ID: Identity Pillar
NIS2 Directive – Policies on Awareness and Training
Control ID: Article 21(2)(e)
DORA (Digital Operational Resilience Act) – ICT-related Incident Reporting
Control ID: Article 9
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Direct impersonation of New York Department of Taxation and Finance in phishing campaign creates citizen trust erosion and regulatory compliance challenges.
Financial Services
Smishing attacks targeting personal financial data and Social Security Numbers pose significant identity theft risks requiring enhanced customer protection measures.
Telecommunications
SMS-based phishing campaigns exploit text messaging infrastructure, necessitating improved threat detection and egress security policy enforcement for customer protection.
Information Technology/IT
Phishing websites impersonating government agencies require enhanced threat detection, anomaly response capabilities, and zero trust segmentation to prevent credential compromise.
Sources
- Fake 'Inflation Refund' texts target New Yorkers in new scamhttps://www.bleepingcomputer.com/news/security/fake-inflation-refund-texts-target-new-yorkers-in-new-scam/Verified
- Governor Hochul Warns Against Scams Targeting New York’s Inflation Refund Initiativehttps://www.governor.ny.gov/news/governor-hochul-warns-against-scams-targeting-new-yorks-inflation-refund-initiativeVerified
- Current tax scams and alertshttps://www.tax.ny.gov/help/contact/fraud/consumeralerts.htmVerified
- Phishing scams exploit New York’s inflation refund programhttps://www.malwarebytes.com/blog/news/2025/10/phishing-scams-exploit-new-yorks-inflation-refund-programVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, egress controls, threat detection, and centralized visibility provided by CNSF-aligned controls would have enabled faster detection of phishing-related data exfiltration, restricted unauthorized outbound traffic, and limited post-compromise risk. While social engineering can't be fully prevented by network controls, robust segmentation and monitoring would have curbed attackers' ability to efficiently harvest or misuse stolen data within business-critical cloud environments.
Control: Threat Detection & Anomaly Response
Mitigation: Alerts would be raised on anomalous or suspicious egress to unknown phishing infrastructure.
Control: Zero Trust Segmentation
Mitigation: Lateral movement or unauthorized use of stolen data is constrained by least-privilege network policies.
Control: East-West Traffic Security
Mitigation: Unusual internal access attempts are blocked or flagged for review.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound connections to unapproved or malicious domains can be prevented.
Control: Cloud Firewall (ACF)
Mitigation: Egress attempts to unknown destinations are detected and can be blocked.
Centralized observability facilitates quick detection and response to data misuse.
Impact at a Glance
Affected Business Functions
- Taxpayer Services
- Identity Verification
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of personal information including names, addresses, email addresses, phone numbers, and Social Security Numbers, leading to risks of identity theft and financial fraud.
Recommended Actions
Key Takeaways & Next Steps
- • Implement centralized, real-time threat detection and anomaly response to identify access to phishing sites and abnormal egress activity.
- • Enforce Zero Trust segmentation to prevent unauthorized lateral movement and misuse of stolen credentials within cloud and hybrid environments.
- • Apply strict egress security policies, including domain filtering, to prevent data exfiltration to attacker-controlled infrastructure.
- • Enhance cloud firewall and inline inspection capabilities to monitor, alert, and block suspicious outbound traffic related to phishing campaigns.
- • Increase security awareness training and reinforce user education on recognizing smishing and social engineering threats.
