The US Financial Industry Regulatory Authority FINRA has issued a warning to US financial firms after detecting an ongoing phishing campaign that impersonates the agency. Attackers’ emails are asking victims to provide sensitive information under the threat of penalties.
FINRA is a non-profit organization that is supervised by the US Securities and Exchange Commission (SEC) and regulates publicly active securities firms and exchange markets, including over 600,000 securities brokers.
FINRA has issued a warning about phishing attacks that are being sent from various domains that look like they came from FINRA’s various official services. The attackers are using at least 3 different domains in this campaign: finrar-reporting[.]org, finpro-finrar[.]org, and gateway2-finra[.]org. FINRA confirmed these domain names are not connected to the organization.
“The email asks the recipient to click a link to ‘view request’ and provide information to ‘complete’ that request, noting that ‘late submission may attract penalties’,” the regulatory notice reads.
This tactic works by adding urgency while asking the victims to provide their email address in order to resolve the attackers’ demands.
“FINRA recommends that anyone who clicked on any link or image in the email immediately notify the appropriate individuals in their firm of the incident,” the regulator advised. The firms are also urged to verify the authenticity of all emails before they are opened.
The domains used in these phishing attacks were registered on August 12, 2021, officials noted.
FINRA has asked the respective domain registrars to suspend the attackers’ Internet domain names due to the active phishing attacks conducted using them.
“For more information, firms should review the resources provided on FINRA’s Cybersecurity Topic Page, including the Phishing section of our Report on Cybersecurity Practices – 2018,” FINRA added.
FINRA has rarely issued alerts that inform consumers about phishing attacks stealing their information. But this year alone, it has published three such notices.
In June, the Financial Industry Regulatory Authority warned about a very similar campaign that threatened to impose penalties if the recipients did not timely provide information.