Fraud Management & Cybercrime , Fraud Risk Management , Social Engineering
FINRA Warns Members of Scams Using Spoofed Domain
Phishing Campaign Targets Organization's MembersThe Financial Industry Regulatory Authority, a private organization that helps self-regulate U.S. brokerage firms and exchange markets , is warning its members about phishing emails originating from websites that spoof its domain.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The malicious emails, which ask the recipient to fill out a survey, are signed by the "FINRA Regulation Department", FINRA reports in a notice.
"FINRA recommends that anyone who clicked on any link or image in the email immediately notify the appropriate individuals in their firm of the incident," the notice states.
The exact goal of the phishing emails is not known, although FINRA has previously warned that fraudsters have used other techniques in recent months in an attempt to gather members' credentials and other personal information.
A FINRA spokesperson could not be immediately reached for comment.
FINRA, a government-authorized not-for-profit organization, oversees about 4,250 brokerage firms and exchange markets and has nearly 625,000 registered members, according to the organization's statistics for 2019. It has about 3,600 employees.
Phishing and Spoofed Domains
A sample phishing email published by FINRA shows a message that asks recipients to fill out a survey by Oct. 13. It states that the answers are needed for the organization to "update its conduct and supervisory rules.”
The phishing messages appear to be from a domain "@regulation-finra.org," preceded by "info" followed by a number, for example: "info5@regulation-finra.org."
FINRA says the domain is not associated with the organization, and members should delete all the emails sent from this domain. The internet domain registrar who works with FINRA has been asked to remove the spoofed domain.
"FINRA reminds firms to verify the legitimacy of any suspicious email prior to responding to it, opening any attachments or clicking on any embedded links," according to the notice.
James McQuiggan, security awareness advocate at KnowBe4, believes that the messages were designed to harvest credentials.
"The link took the end users to a form page to re-register their broker's license with FINRA," McQuiggan tells Information Security Media Group. "If the end user clicked the link without taking a moment to examine the link or verify through another means with FINRA, they would believe their broker's license expired and they needed to renew."
Previous Attempts
Over the past several months, FINRA has noted an uptick in fraudsters using the names of registered brokers, as well as the organization's employees, as lures for phishing and other schemes.
In May, the organization warned of phishing emails using the names of Bill Wollman and Josh Drobnyk, vice presidents of the organization, to trick members into inputting their usernames and passwords for a Microsoft Office or SharePoint account (see: FINRA Warns of Phishing Emails Targeting Members).
An alert sent in August by FINRA warned its members that fraudsters attempted to steer potential victims to certain spoofed sites to collect personally identifiable information, such as their names, mailing addresses and phone numbers (see: FINRA Warns of Spoofed Websites Impersonating Real Brokers).