New York City’s administration, under Mayor Eric Adams, took the city’s payroll website, NYCAPS/ESS, partially offline for nine days in response to a phishing scheme targeting city employees. The phishing attack, which involved fraudulent text messages attempting to steal personal information from NYCAPS users, prompted the city to limit access to essential payroll and tax-related forms as Tax Day approached. This move has affected roughly 300,000 full-time workers, leaving them with restricted access to the necessary resources to manage their financial records.
The site’s downtime was initially announced as “scheduled maintenance” on its portal, but further statements revealed that the shutdown was a direct response to enhance security measures following the cybersecurity threat. The city’s Office of Technology & Innovation, along with the payroll office and the Department of Citywide Administrative Services, have been working to implement these enhanced security protocols. Meanwhile, city employees were advised to stay vigilant and verify the legitimacy of any communications related to NYCAPS and payroll activities.
The phishing campaign, as reported, involved messages that misled employees to activate multi-factor authentication by providing their usernames, passwords, and personal identification such as driver’s license photos. This incident was part of a broader smishing (SMS phishing) effort that has been particularly deceptive due to the outdated design of the NYCAPS website, which has been noted to look antiquated and thus, easily mimicked by fraudulent sites.
City officials, including the Department of Education and technology advisors, have been actively issuing warnings about the phishing scheme. Despite the proactive measures and communications issued after the incident, some city employees expressed that they were not adequately warned about the website being down. The city has faced criticism for how it handled communication with its employees, highlighting the need for better alerts and information sharing in times of cyber threats.
