Phishing Awareness

Use of Email / Anti-Phishing Information

The New York State Office of Cannabis Management (Office) uses email to communicate services and announcements to license applicants, license holders, and other individuals. The Office may use email to provide information on changes in the cannabis law, cannabis regulations, public education campaigns, applications and licensure of cannabis businesses, and upcoming Cannabis Control Board and Cannabis Advisory Board meetings or other events.


How we use email to communicate with you
  • We only use your email address if you provide it to us. We do not purchase or acquire email addresses from third party sources, nor do we share email addresses with others.
  • We will use email to communicate with you after you provide us your email address when signing up for updates from the agency. You can also choose to customize our electronic communications with you by authorizing its use for a variety of purposes and services.
  • We will never initiate an email to you to inform you that your username or password needs to be reset. Many application forms are hosted in New York Business Express, and the Office does not manage the New York Business Express platform. The Office will never email you asking for your New York Business Express login information, and the Office will not send emails requesting you change or reset your NY.GOV ID username or password. Applicants can service their own New York Business Express account at


Office of Cannabis Management email addresses

Legitimate emails from the Office of Cannabis Management will be sent from an email address ending in "”. If you receive an email that appears to be from the Office, but it doesn’t feel right, then check the email address. Some scammers will use email addresses that look like the Office’s to try and trick people into revealing their personal information. 



The Office of Cannabis Management will send you email consistent with the services that you have requested. Links will only be provided that will bring you directly to content on our website, located at:

  •; or
  • or located on other governmental sites (local, state and federal).

When we provide links in an email, they may appear in two ways:

  • active links embedded behind text such as a link that says “click here
  • a complete URL (uniform resource locator) address, beginning with http://. Some email providers will convert this URL address into an active link in the email while others will require you to copy and paste the URL address into your browser.) 

To verify the destination of an active link, you should hover your mouse over it and review the address information displayed in the status bar located at the bottom of your browser page; it will display the Web address destination of the link. One common trick that scammers use is making misleading links. Even a link that appears to be a complete URL can take you somewhere else, like this example:

You should also note that links are provided only for your convenience; they need not be used. To utilize services available on the Office's website, you can always type into your browser and navigate to the services or information you require.



New York State residents should be wary of phishing (pronounced like “fishing”). Phishing is when someone attempts to trick you into providing personal information through an email or through a link to a fraudulent website. Phishing is a criminal activity. It uses various techniques to trick you into doing things or sharing information that you would not normally provide.

Phishing emails may appear to be from a trustworthy source. They are designed to trick the email recipient into sharing sensitive, private and confidential information. If you click a link in a phishing email may be directed to a fraudulent website that attempts to acquire personal or private information or possibly infect his/her computer with malicious software. To check the destination of a link, you can hover your mouse over it and review the address displayed in the status bar located at the bottom of your browser page.

Always be wary of suspicious email. Signs that an email may be a phishing attempt include:

  • the email contains obvious spelling errors. Phishers do this intentionally in order to avoid spam filters many Internet providers use.
  • links to the website contain all or part of a real entity's name, or Web address, but the link itself is not identical to that of the legitimate website (for example, “” instead of the correct URL: “”). Clicking on these links may take you to a different, possibly malicious website or create pop-up windows that ask you to provide, update, or confirm sensitive personal information. (Remember: you can always to check the true destination of an link by hovering your mouse over it and reviewing the address displayed in the status bar at the bottom of your browser page.)

Some phishing attempts will include misspellings or other errors that make the scam obvious, but other phishing attempts are very elaborate. It can be tough for even the most advance user to tell the difference between a real email and a convincing phishing email. Phishing detection may be enhanced by use of a Web browser that has a phishing filter. The latest versions of most browsers include phishing filters that can help detect phishing attempts.

For more information on phishing, please visit the website of the Department of State, Division of Consumer Protection (, or visit, the website of the Office of Information Technology Services, Phishing awareness page (