Full Report
An ongoing smishing campaign is targeting New Yorkers with text messages posing as the Department of Taxation and Finance, claiming to offer "Inflation Refunds" in an attempt to steal victims' personal and financial data. [...]
Analysis Summary
# Incident Report: New York Inflation Refund Smishing Campaign
## Executive Summary
An ongoing smishing campaign impersonated the New York Department of Taxation and Finance, falsely offering "Inflation Refunds" to trick New Yorkers into providing sensitive personal and financial data, including Social Security Numbers. The immediate impact is the high risk of identity theft and financial fraud for victims who interact with the fraudulent links and submit their information. The state government and tax authority issued official warnings urging recipients to ignore the texts and report the scams.
## Incident Details
- Discovery Date: Prior to or around September 28, 2025 (based on official warning dates)
- Incident Date: Ongoing campaign circa October 2025
- Affected Organization: Residents of New York State targeted; NY Department of Taxation and Finance impersonated.
- Sector: Government Services / Finance
- Geography: New York, USA
## Timeline of Events
### Initial Access
- Date/Time: Ongoing campaign leading up to September 29, 2025 (the deadline mentioned in the text).
- Vector: Smishing (SMS Phishing) campaign using text messages.
- Details: Texts claimed the recipient's "Inflation Refund request has been processed and approved" and demanded submission of payment information by a false deadline (September 29, 2025).
### Lateral Movement
Not applicable for this type of fraud campaign, as the goal is purely data exfiltration from the end-user device/submission form, not internal network compromise.
### Data Exfiltration/Impact
- Data Stolen: Name, physical address, email address, phone number, and Social Security Number (SSN).
- Impact: High risk of identity theft and financial fraud for victims.
### Detection & Response
- Detection: BleepingComputer observed the campaign, and Governor Kathy Hochul's office issued an official warning on September 28, 2025.
- Response Actions: The Governor's office and the NY Department of Taxation and Finance publicly warned residents that they do not need to apply for the refund and that the Tax Department never contacts citizens via text or phone regarding these matters.
## Attack Methodology
- Initial Access: Smishing via SMS targeting state residents.
- Persistence: N/A (Single-session phishing).
- Privilege Escalation: N/A
- Defense Evasion: Impersonating a legitimate state government initiative ("Inflation Refund Initiative").
- Credential Access: Collecting SSN and other personal identifiers directly via a fraudulent web form.
- Discovery: N/A (Campaign targeted broad residency).
- Lateral Movement: N/A
- Collection: Harvesting PII (Personally Identifiable Information) including SSN.
- Exfiltration: Data harvested immediately upon submission through the fraudulent website.
- Impact: Financial fraud and identity theft.
## Impact Assessment
- Financial: Potential high costs for individuals due to identity theft; specific organizational costs not detailed.
- Data Breach: Sensitive PII, including SSNs, name, address, email, and phone number. Volume unknown, dependent on campaign reach.
- Operational: Minimal direct operational impact on government systems, but public trust may be affected, requiring public outreach.
- Reputational: Negative reflection on the state's ability to secure residents from scams related to state benefits.
## Indicators of Compromise
- Network Indicators: Links directing users to fraudulent websites impersonating the NY Dept. of Taxation and Finance (URLs defanged).
- File Indicators: N/A (No malware delivered).
- Behavioral Indicators: Receiving unexpected text messages regarding state refunds requiring immediate action and submission of sensitive data online.
## Response Actions
- Containment measures: Encouraging recipients to block the sender and delete the message.
- Eradication steps: Reporting the malicious domains/URLs (not specified in detail).
- Recovery actions: Advising potential victims to monitor financial accounts and report identity theft if data was submitted.
## Lessons Learned
- The reliance on legitimate government initiatives (like inflation refunds) creates reliable lures for social engineering attacks.
- Security awareness campaigns must be rapid and widespread when new monetary incentives are introduced by government bodies.
- Victims are often coerced by false deadlines ("Failure to submit... will result in permanent forfeiture").
## Recommendations
- Government agencies must proactively communicate that official channels (Tax Department/IRS) will **never** request personal data via unsolicited text messages or phone calls regarding refunds.
- Residents should be trained to treat any unsolicited communication requesting PII, regardless of the apparent benefit, with extreme skepticism.
- Residents should report all suspected phishing attempts directly to the relevant state tax department.