FINRA Warns Members of Phishing SchemeFraudsters Are Using 3 Imposter FINRA Domain Names
Fraudulent emails portrayed as coming from the Financial Industry Regulatory Authority, a not-for-profit organization that oversees brokerage firms and exchange markets in the U.S., are asking member firms to provide information or face penalties, FINRA warns.
FINRA warns that the phishing campaign is using at least three imposter FINRA domain names - @finrar-reporting.org, @Finpro-finrar.org and @gateway2-finra.org. The phishing emails "ask the recipient to click a link to 'view request' and provide information to 'complete' that request, noting that 'late submission may attract penalties.'"
FINRA has asked relevant internet domain registrars to suspend services for all three domain names used in the current phishing campaign
The organization did not immediately reply to a request for more details, such as what information was requested in the phishing emails.
FINRA, a government-authorized not-for-profit organization, oversees about 4,250 brokerage firms and exchange markets and has nearly 625,000 registered members, according to the organization's website.
FINRA Targeted Previously
In June, FINRA warned about another phishing campaign purporting to be from "FINRA SUPPORT" and using the email address firstname.lastname@example.org.
That email asked the recipient to pay attention "to the report attached below that requires your immediate response" and stated that the attachment "contains our updated Public Policy information." The emails may not include an attachment, FINRA said.
Roger Grimes, data-driven defense evangelist at the security firm KnowBe4, says it's common for phishers to use look-alike domain names.
"DMARC has essentially killed phishers sending emails pretending to be from the real domain, finra.org. So, phishers have responded by more aggressively registering and sending emails (usually with DMARC enabled) from domains that simply contain the name of the legitimate brand being faked. This has happened for decades, but seems to have been accelerated and more aggressively abused since DMARC adoption shut down their faked use of the real domains," Grimes says.
Action to Take
The financial industry self-regulator recommends anyone who clicked on any link or image in a fraudulent email to immediately notify the appropriate security individuals in their firm of the incident.
"None of these domain names are connected to FINRA, and firms should delete all emails originating from any of these domain names," the regulator says in its alert about the most recent phishing scheme. "FINRA reminds firms to verify the legitimacy of any suspicious email prior to responding, opening any attachments or clicking on any embedded links."
Grimes states that Google, through its BIMI standard, is attempting to give users another way to visually identify whether an email really is coming from the organization mentioned in the message.
"I am not sure how well [the BIMI standard] will work unless there is a huge amount of user training involved, telling them to pay attention to the latest way to tell if an email is fake or not," he says. "Google's BIMI standard allows the real vendor to push their real brand logo on legitimate emails. Fake emails will not be able to push the real (or any) logo. That is great, but it only works if you train users to look for it."
Although the spoofed emails use the correct spelling of the registered FINRA members, the email address and subject line contained misspellings, odd or awkward phrasings, or misused financial services terminology.
A sample email shared by FINRA shows that in this phishing campaign, the threat actors used FINRA staff email@example.com, which contains an additional 'r'.