Cybersecurity Alert - Ongoing Phishing Campaign Impersonating FINRA Executives

IMPACT: All Firms 

This notification warns member firms of an ongoing phishing campaign that began on or around Oct. 9 that involves fraudulent emails purporting to be from FINRA executives, in some instances containing a PDF attachment. These emails are not from FINRA, and firms should delete them and consider blocking their domains.

These impersonated emails allege that FINRA executives are attempting to collect information from the member firm’s owner or CEO, and state the firm will be subject to a fine if the requested information is not provided using the attached PDF form. The emails state the request cannot be fulfilled by contacting FINRA by phone or via FINRA’s Firm Gateway. FINRA’s initial analysis of the PDF attachment is that, while it appears to be a blank document, it could possibly include malicious content. The empty PDF file is likely designed this way to encourage email interaction directly with the threat actor.

The known domains used by the threat actors impersonating FINRA executives in this campaign include: 

  • gateway-finra[.]com
  • gateways-finra[.]org

Based on FINRA’s assessment of past phishing campaigns, the threat actors will likely rotate to other FINRA lookalike domains to continue the phishing campaign.

The relevant indicators of compromise pertaining to the fraudulent PDF file attachment include:

  • File name: FINRA RFI Oct24.pdf
  • Hash: b7daae29f66e3cb4fabf5338a9c3b8e58f4abab5174745d64921687c562054e3

Sample text contained in the phishing email campaign:

Good morning, [Individual Name],

I wanted to reach out and introduce myself. My name is [FINRA Executive’s Name, Title, FINRA]. I have been assigned to your firm to collect information.

Please note that this isn't a compliance request, and we require the firm's owner or CEO to provide the required information in strictest confidence.

Kindly follow the instruction in the attached document to file the request within the next 48 hours to avoid the penalty of paying a fine.

N.B: This request can only be completed as directed in the request letter, it cannot be completed on the phone or through FINRA gateway. Kindly also note that I will not be reachable via phone call at this time as I am handling a number of other overdue requests.

Either way, please let me know if you have any questions, I would be more than happy to assist you. 

Thank you,
[FINRA Executive’s First Name]

[FINRA Executive’s Email Footer containing Name, Title, Address, Phone Number]

The email addresses, domains and PDF file are not connected to, or endorsed by FINRA, and firms should delete all emails originating from these domains, consider blocking the fraudulent domains at the firewall, as well as leveraging the hash and file name in network threat monitoring. 

Member firms should be aware that they may receive similar phishing emails from other domain names, or attempts in which the file name and hash of the email attachments may change, in addition to those identified in this Alert.

FINRA reminds firms to verify the legitimacy of any suspicious email prior to responding to it, opening any attachments or clicking on any embedded links. FINRA has requested that the internet domain registrars suspend services for the known malicious domains.

For questions related to this Alert or other cybersecurity-related topics, contact the FINRA Cyber and Analytics Unit (CAU). Both the FBI and CISA urge you to promptly report phishing incidents to a local FBI Field Office, the FBI Internet Crime Complaint Center (IC3) at IC3.gov, or CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Alert in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some questions may not be relevant due to certain firms’ business models, sizes, or practices. 

If you would like to add or change who receives this email, please update your firm’s Chief Information Security Officer (CISO), Chief Compliance Officer (CCO) and/or Chief Risk Officer (CRO) contacts in FINRA Gateway.