As if administrators at financial services firms don’t already have enough on their plate – the challenges of complying with requirements like SOX, GLBA, and the NYDFS Cybersecurity Regulation, while learning to live with the complications of working remotely introduced with COVID-19 - a new phishing campaign targeting financial firms that tries to extract credentials is making the rounds.

The phishing emails appear to come from the Financial Industry Regulatory Authority, or FINRA, the self-regulatory organization that along with the Securities and Exchange Commission, regulates the financial industry.

FINRA warned about the phishing campaign in a regulatory notice provided to its firms on Monday, encouraging anyone who may have been tricked into divulging any of their credentials to reset them immediately.

The emails are deceiving, FINRA points out, because they come from a domain, broker-finra.org, that appears to belong to FINRA. Up until recently, that wasn't the case. FINRA claims it had the internet domain registrar in charge of the domain suspend the site's services; now it broker-finra.org redirects to BrokerCheck, a site FINRA runs that allow for the reverse look up of financial brokers.

The phishing emails also could have also duped a user because they appear to come from legitimate FINRA officers, like Bill Wollman, FINRA's Executive Vice President, Head of Office of Financial and Operational Risk Policy and Josh Drobnyk, FINRA's Senior Vice President, Corporate Communications.

According to FINRA's warning, some emails come with a malicious attachment. Other fraudsters wait until they've gained a user's trust, then send the attachment. Once clicked, apparently, a malicious PDF file requests the user to enter their Microsoft Office or SharePoint password.

"FINRA reminds firms to verify the legitimacy of any suspicious email prior to responding to it, opening any attachments or clicking on any embedded links," the authority wrote Monday, adding that firms should should familiarize themselves with some of the hallmarks of phishing, via a 2018 Cybersecurity report it issued or the cybersecurity section of its website if they haven't already.

According to the authority, a sample phishing email looks like the following:

________________________________________________

Attachment A – Sample Phishing Email
Subject: Action Required: FINRA Broker Notice for Firm Name
Dear __,

I hope you are well and keeping safe.
I have been asked to send the attached document for [Firm Name] to you. They require immediate attention.
This is important and needs to be attended to before the end of this week.
Please let me know if you have any questions.

Kind regards,
Bill Wollman
Vice President, Head of Office of Financial and Operational Risk Policy
________________________________________________

While the SEC is an arm of the U.S. government - its creation was mandated as part of the Securities Act of 1933 and the Securities Exchange Act of 1934 - FINRA's rules are only applicable to its members. The rules generally pertain to broker-dealer operations, how to handle tranactions, investigations, sanctions, and supervisory responsibilities.

Save for brief notice back in March on phishing scams that leverage COVID-19, it's the first phishing warning FINRA has issued since February 2019, when it warned of scams targeting member firms pretending to be a legitimate credit union. Those emails, FINRA said at the time, claimed to be notifying the firm about money laundering incident involving a client. Once a user opened an attached document, malware "designed to obtain unauthorized access to the recipient’s computer network," took over.