Important: Beware of New Smishing Campaigns Targeting NYCPS Employees 

A new smishing (SMS phishing) campaign has been detected, targeting users of NYCAPS/ESS.

Smishing is a fraudulent activity where scammers use text messages to trick individuals into divulging sensitive information or clicking on malicious links. These messages often appear from legitimate sources, such as banks, government agencies, or trusted organizations.

The latest smishing campaign is particularly concerning as it attempts to deceive city employees to provide their username (employee ID), password, and driver’s license. The text message asks the user to activate multi-factor authentication (MFA) for the NYCPS Employee Self-Service portal before the next payday. Non-compliance could result in payment delays. Upon clicking the link, the fraudulent website asks for a copy of your driver’s license. This message is fraudulent. NYCPS will not text you to ask you to enable MFA or provide your driver's license.

The messages may claim to be urgent alerts regarding your account status, prize winnings, or other enticing offers. However, they are designed to steal your personal information or install malware on your device.

To protect yourself and your information, please remember the following:

• Be Skeptical: If you receive a text message requesting personal or financial information, especially if it seems urgent or too good to be true, proceed cautiously.

• Verify the Source: Double-check the sender's phone number and verify it with the purported sender's official contact information. Legitimate organizations will not ask for sensitive information via text message.

• Avoid Clicking Links: Do not click on any links or download attachments from unsolicited text messages, as they may lead to phishing websites or malware infections.

• Report Suspicious Messages: If you receive a suspicious text message, report it to your mobile carrier and delete it immediately.  

• Your security is a top priority, and DIIT actively monitors the situation to mitigate potential risks.  

If you have any concerns or questions regarding this smishing campaign or cybersecurity in general, please do not hesitate to contact DIIT through the SupportHub or call 718-935-5100.