As of Tuesday afternoon, the New York City Automated Personnel System, Employee Self Service (known as NYCAPS/ESS) site was offering this brief message: “Due to scheduled maintenance, Internet ESS is temporarily unavailable. We apologize for the inconvenience this may cause.”
But the full story was more complicated.
Last month, the city’s cybersecurity team was made aware of a text message phishing campaign in which hackers tried to steal NYCAPS users’ personal information, a spokesperson for the Office of Technology & Innovation said in a statement.
Since then, the team has been conferring with the city’s payroll office and the Department of Citywide Administrative Services — which manages municipal buildings — “to implement enhancements to security measures,” which shut down access to the site, the technology office further said.
“City employees have been advised to remain vigilant and confirm the legitimacy of any NYCAPS and payroll-related communications and activity,” the statement added.
City Hall spokesperson Amaris Cockfield confirmed the site was taken down, but said it’s still accessible on the city’s intranet.
The head of the union representing emergency medical technicians and fire inspectors said his members discovered the mishap after looking up their paychecks last week.
“Nothing was working for anybody,” Oren Barzilay, president of Local 2507, said in an interview. “Living paycheck to paycheck, they like to know what bills they can pay this week.”
In addition to Barzilay, four city employees from different agencies told POLITICO they never got a warning from city officials about the site being down. After being contacted by POLITICO, the city sent an email to all employees Tuesday afternoon warning about the phishing scheme, but not mentioning that access to NYCAPS had been limited.
That action comes after the Department of Education — the city’s largest agency — sent an email to its employees on March 23, warning about a new “smishing” or SMS phishing campaign “targeting users of NYCAPS/ESS.”
Employees received text messages asking them to activate multi-factor authentication for the NYCAPS system, Department of Education’s newly appointed Chief Information Officer Intekhab Shakil wrote in the email, which was obtained by POLITICO. But the texts were a scam, trying to get city employees to hand over their usernames, passwords and even a picture of their driver’s license.
The fake site used to trick people “is a phishing scam domain out of Lithuania,” Naveed Hasan, a technology consultant and member of the city’s Panel for Education Policy, posted on X, formerly Twitter, last week.
And Hasan said the city’s outdated NYCAPS website — the design of which looks like a relic from the 1990s internet — is partially to blame: “This (is) a user education issue to not fall prey to these scams, but the real site is antique & easily cloned.”