The Financial Industry Regulatory Authority (FINRA) recently notified members of a phishing operation in which fake emails are sent to FINRA member firms that appear to be legitimate emails from the regulatory agency. The emails are being sent from the domain “@gateway-finra.org,” which is not affiliated with FINRA. The scheme threatens penalties if the recipients do not click the “view request” link and submit the requested information.
FINRA is a government-authorized not-for-profit organization that oversees U.S. broker-dealers and is supervised by the U.S. Securities and Exchange Commission (SEC).
The FINRA alert recommends that any user who receives the email delete it and not click on the link request. Any individual who does click the link should immediately notify the appropriate unit in their firm.
The alert also advises that members review the FINRA Report on Cybersecurity Practices – 2018, which includes a number of suggestions to avoid falling prey to these kinds of attack, including regularly training employees to recognize phishing attempts and implementing email scanning and filtering to monitor and block attempts, among other recommendations.
This alert is the latest notice FINRA has released notifying members of a phishing scam targeting brokerage firms. The last warning was in March 2021, and the one before that was posted in November 2020.
Phishing consists of unsolicited emails, text messages, and telephone calls allegedly from a legitimate source requesting personal, financial, or login credentials. According to the FBI’s Internet Crime Report, phishing was the most common type of cybercrime in 2020, with over 241,342 incidents reported.
Coretelligent offers a free toolkit for organizations to utilize as basic internal training for your employees. The toolkit includes examples of phishing emails, a PowerPoint deck for introductory training sessions, and pro tips to help your employees spot phishing attempts.
Coretelligent’s CoreArmor cybersecurity solution also provides best-in-class phishing testing, comprehensive end-user cybersecurity training, and 24x7x365 intrusion detection monitoring and response, among other benefits.