US brokers warned of ongoing phishing attacks impersonating FINRA

The US Financial Industry Regulatory Authority (FINRA) warns US brokerage firms and brokers of an ongoing phishing campaign impersonating FINRA officials and asking them to hand over sensitive information under the threat of penalties.

FINRA is a non-profit organization supervised by the Securities and Exchange Commission (SEC) and authorized by the US government to regulate all publicly active securities firms and exchange markets.

This independent, non-governmental securities regulator supervises over 600,000 brokers across the nation and keeps track of billions of market events every day.

Impersonated FINRA domain names used for phishing

In a notice issued on Friday, the US financial industry regulator said that the phishing messages are being sent from multiple domains impersonating FINRA official sites.

The attackers are using at least three different domains in this campaign (i.e., finrar-reporting[.]org, finpro-finrar[.]org, gateway2-finra[.]org).

“The email asks the recipient to click a link to ‘view request’ and provide information to ‘complete’ that request, noting that ‘late submission may attract penalties’,” the regulatory notice reads.

This tactic is designed to add urgency to the attackers’ demands, with the hope that the victims would answer their request before checking the emails’ legitimacy.

“FINRA recommends that anyone who clicked on any link or image in the email immediately notify the appropriate individuals in their firm of the incident,” the regulator adds.

Brokerage firms and their employees are urged to verify the legitimacy of all suspicious emails before replying, opening attachments, or clicking on embedded links.

The domains used in these ongoing phishing attacks were registered on Thursday, August 12, using the services of the Hosting Concepts B.V. and NameCheap registrars.

Before issuing the alert, FINRA asked the Internet domain registrar to suspend services for the malicious domains due to their use in active phishing attacks.

According to the US financial market regulator, none of the domain names used to deliver phishing messages are connected to FINRA.

Organizations receiving phishing emails originating from these domain names are advised to delete them immediately.

“For more information, firms should review the resources provided on FINRA’s Cybersecurity Topic Page, including the Phishing section of our Report on Cybersecurity Practices – 2018,” FINRA added.

Similar phishing attack spotted in June

While the financial regulator rarely issues such regulatory notices, it has published three of them this year, all of them informing brokers of phishing attacks targeting their information.

In June, FINRA warned of a very similar campaign also threatening recipients with penalties following failure to submit the requested information in a timely fashion.

Another alert, issued in March, alerted US brokers of a phishing campaign using fake compliance audit alerts to harvest brokers’ information.

Last year, brokerage firms were warned of spear-phishing attacks that redirected targets to a fake registration form hosted on the finnra[.]org copycat site.