CYBERSECURITY

Alerts and Identified Risks

(NEW) FINRA Alerts Firms to a Phishing Email Campaign Using Multiple Imposter FINRA Domain Names

FINRA warns member firms of an ongoing phishing campaign that involves fraudulent emails (see sample in Appendix) purporting to be from FINRA and using one of at least three imposter FINRA domain names:

  • “@finrar-reporting.org”
  • “@Finpro-finrar.org”
  • “@gateway2-finra.org”

The email asks the recipient to click a link to “view request” and provide information to “complete” that request, noting that “late submission may attract penalties.”

FINRA recommends that anyone who clicked on any link or image in the email immediately notify the appropriate individuals in their firm of the incident.

FINRA Regulatory Notice 21-30 (August 13, 2021): FINRA Alerts Firms to a Phishing Email Campaign Using Multiple Imposter FINRA Domain Names

(NEW) FINRA Alerts Firms to Phishing Email from “FINRA Support” from the Domain Name “westour.org” 

FINRA warns member firms of an ongoing phishing campaign that involves fraudulent emails purporting to be from “FINRA SUPPORT” with the email address “support@westour.org”. The email asks the recipient to pay attention “to the report attached below that requires your immediate response” and states that “[t]he attachment contains our updated Public Policy information.” The emails may not include an attachment.

FINRA recommends that anyone who clicked on any link or image in the email immediately notify the appropriate individuals in their firm of the incident.

The domain of “westour.org” is not connected to FINRA and firms should delete all emails originating from this domain name.

FINRA Regulatory Notice 21-22 (June 23, 2021): FINRA Alerts Firms to Phishing Email From “FINRA Support” From the Domain Name “westour.org”

(NEW) FINRA Alerts Firms to Phishing Email Using “gateway-finra.org” Domain Name

FINRA warns member firms of an ongoing phishing campaign that involves fraudulent emails (see sample in Appendix) purporting to be from FINRA and using the domain name “@gateway-finra.org.” The email asks the recipient to click a link to “view request” and provide information to “complete” that request, noting that “late submission may attract penalties.”

FINRA recommends that anyone who clicked on any link or image in the email immediately notify the appropriate individuals in their firm of the incident.

The domain of “gateway-finra.org” is not connected to FINRA and firms should delete all emails originating from this domain name.

FINRA Regulatory Notice 21-20 (June 7, 2021): FINRA Alerts Firms to Phishing Email Using “gateway-finra.org” Domain Name

 

FINRA Shares Practices Firms Use to Protect Customers from Online Account Takeover Attempts

FINRA has received an increasing number of reports regarding customer account takeover (ATO) incidents, which involve bad actors using compromised customer information, such as login credentials (i.e., username and password), to gain unauthorized entry to customers’ online brokerage accounts. To help firms prevent, detect and respond to such attacks, FINRA recently organized roundtable discussions with representatives from 20 firms of various sizes and business models to discuss their approaches to mitigating the risks from ATO attacks. This Notice outlines the recent increase in ATO incidents; reiterates firms’ regulatory obligations to protect customer information; and discusses common challenges firms identified in safeguarding customer accounts against ATO attacks, as well as practices they find effective in mitigating risks from ATOs—including recent innovations—which firms may consider for their cybersecurity programs.

FINRA Regulatory Notice 21-18 (May 12, 2021): FINRA Shares Practices Firms Use to Protect Customers from Online Account Takeover Attempts

 

Heightened Threat of Fraud

FINRA warns member firms that, over the past two months, we have observed a sharp increase in new customers opening online brokerage accounts and engaging in Automated Clearing House (ACH) “instant funds” abuse to effect securities trading. FINRA has previously warned firms about trends in losses from schemes involving electronic funds transfers, such as those involving outbound wire transfers and ATM withdrawals.

FINRA Regulatory Notice 21-14 (March 25, 2021): FINRA Alerts Firms to Recent Increase in ACH “Instant Funds” Abuse

 

Phishing Email Purporting to be from FINRA

FINRA warns member firms of an ongoing phishing campaign that involves fraudulent emails (see sample in Appendix) purporting to be from “FINRA Membership” and using the email address “supports@finra-online.com”. The email asks the recipient to respond to an issue of “regulatory non-compliance for which your immediate response is required” and then asks the recipient to click on a link or document.

FINRA Regulatory Notice 21-08 (March 4, 2021): FINRA Alerts Firms to Phishing Email Using “finra-online.com” Domain Name

 

Learn more about recent examples of phishing scams by clicking the links below:

FINRA Regulatory Notice 20-40 (November 30, 2020): FINRA Alerts Firms to Phishing Email Using Invest-FINRA.org Domain Name

FINRA Regulatory Notice 20-35 (October 6, 2020): FINRA Alerts Firms to Phishing Email Requesting Them to Respond to a Fraudulent FINRA Survey

FINRA Regulatory Notice 20-12 (May 4, 2020): FINRA Warns of Fraudulent Phishing Emails Purporting To Be From FINRA

 

Division of Examinations Risk Alert

This Risk Alert highlights “credential stuffing,” a method of cyber-attack to client accounts that uses compromised client login credentials, resulting in the possible loss of customer assets and unauthorized disclosure of sensitive personal information. The Division of Examinations (formerly known as The Office of Compliance Inspections and Examinations (“OCIE”)) has observed in recent examinations an increase in the number of cyber-attacks against SEC-registered investment advisers and brokers-dealers using credential stuffing.

SEC Office of Compliance Inspections and Examinations Risk Alert (September 15, 2020): Cybersecurity: Safeguarding Client Accounts Against Credential Compromise

 

Imposter Registered Representative Websites

Several firms have recently informed FINRA that malicious actors are using registered representatives’ names and other information to establish websites (“imposter websites”) that appear to be the representatives’ personal sites and are also calling and directing potential customers to use these imposter websites. Imposters may be using these sites to collect personal information from the potential customers with the likely end goal of committing financial fraud.1 This Notice describes certain common characteristics of these sites and actions firms and registered representatives can take to monitor for and address these sites.

• FINRA Regulatory Notice 20-30 (August 20, 2020): Imposter Registered Representative Websites: Fraudsters Using Registered Representatives Names to Establish Imposter Websites.

 

FINRA Warns Firms of Regulator Impersonators

FINRA has received reports of member firms receiving telephone calls from persons claiming to work for FINRA in an attempt to deceive firms into revealing confidential information. FINRA is notifying firms that these individuals may be impersonators. Firms that receive telephone calls or emails purportedly from someone at FINRA requesting any type of information—confidential or otherwise—should use caution and verify the identity of the caller or sender before providing any information or responding to an email.

FINRA Information Notice (July 13, 2018): FINRA Warns Firms of Regulator Impersonators

 

Cybersecurity Alert: Cloud Based Email

Several member firms recently notified FINRA that they have experienced email account takeovers (ATOs) while using cloud-based email platforms, including Microsoft Office 365 (O365). Attackers used compromised email accounts to defraud member firms by requesting fraudulent wire requests or stealing confidential firm information or non-public personally identifiable information (PII).

This Notice outlines the attackers’ tactics in executing ATOs, as well as steps taken by member firms to address ATO risks when using cloud-based email systems.

FINRA Information Notice (October 2, 2019): Cybersecurity Alert: Cloud Based Email Account Takeovers

General

Heightened Threat of Fraud and Scams 

The COVID-19 pandemic is affecting most aspects of our society and daily lives, as well as the U.S. economy and markets. Events with such profound impact routinely create opportunities for financial fraud. Firms and their associated persons should be aware of and take appropriate measures to address the increased risks and challenges presented during the COVID-19 pandemic. In addition to new scams focusing on COVID-19, previous scams may also find new life as fraudsters adapt to and exploit recent events and related vulnerabilities, especially those related to the remote working environment.

FINRA is committed to providing guidance, updates and other information to help stakeholders stay informed about the latest developments relating to COVID-19, which can be found on FINRA’s COVID-19/Coronavirus Topic Page.

FINRA will also continue to inform the industry on emerging cybersecurity trends and related frauds, and reminds firms to review resources on FINRA’s Cybersecurity Topic Page, which provides information on how firms can strengthen their cybersecurity programs.

FINRA Regulatory Notice 20-13 (May 5, 2020): FINRA Reminds Firms To Beware Of Fraud During The Coronavirus (COVID-19) Pandemic

FINRA Information Notice (March 26, 2020): Cybersecurity Alert: Measures to Consider as Firms Respond to the Coronavirus Pandemic

 

Resources

SEC Investor Bulletin

The SEC’s Office of Investor Education and Advocacy issued this Investor Bulletin to help investors protect their online investment accounts from fraud. As with all web-based accounts, investors should take precautions to help ensure that their online investment accounts remain secure. These online security tips can help.

SEC Investor Bulletin: Protecting Your Online Accounts from Fraud (April 26, 2017)

 

FINRA Cybersecurity Topic Page

Given the evolving nature, increasing frequency, and sophistication of cybersecurity attacks – as well as the potential for harm to investors, firms, and the markets – cybersecurity practices are a key focus for FINRA. Visit the link below for more information on related rules, notices, guidance, news and investor education

• FINRA Topic Page:  Cybersecurity

 

FINRA Report on Cybersecurity Practices

This report continues FINRA’s efforts to share information that can help broker-dealer firms further develop their cybersecurity programs. Firms routinely identify cybersecurity as one of their primary operational risks. Similarly, FINRA continues to see problematic cybersecurity practices in its examination and risk monitoring program. This report presents FINRA’s observations regarding effective practices that firms have implemented to address selected cybersecurity risks while recognizing that there is no one-size-fits-all approach to cybersecurity.

FINRA Report on Cybersecurity Practices (December 2018)

 

A Small Entity Compliance Guide: Final Model Privacy Form Under the Gramm-Leach-Bliley Act

The model privacy form is designed to make it easier for consumers to understand how financial institutions collect and share their personal financial information and to compare different institutions' information practices. For a guide to implementing these procedures visit: https://www.sec.gov.