US brokerage firms warned of ongoing phishing with penalty threats

Image: Chris Liverani

FINRA, the U.S. securities industry regulator, has warned brokerage firms of an ongoing phishing campaign threatening recipients with penalties unless they provide the information requested by the attackers.

FINRA (Financial Industry Regulatory Authority) is an independent, non-governmental securities regulator supervised by the U.S. Securities and Exchange Commission (SEC) that regulates all securities firms and exchange markets publicly active in the U.S.

The non-profit organization also supervises over 620,000 brokers across the U.S. and examines billions of market events daily.

Penalty threats used to bait victims

"FINRA warns member firms of an ongoing phishing campaign that involves fraudulent emails purporting to be from FINRA and using the domain name @gateway-finra.org," the market regulator said in a regulatory notice issued on Monday.

"FINRA recommends that anyone who clicked on any link or image in the email immediately notify the appropriate individuals in their firm of the incident."

Attackers send fraudulent emails from name@gateway-finra.org requesting additional information from recipients to verify their firm name.

They also threaten their targets that late submission of the requested info would attract penalties, a tactic designed to add urgency, hoping that the victims would answer the request before checking the emails' legitimacy.

Penalty threats phishing email (FINRA)

The gateway-finra[.]org domain used in these ongoing phishing attacks was registered on June 7 using the Hosting Concepts B.V. domain registrar.

FINRA has asked the Internet domain registrar to suspend services for the domain due to its ongoing use in active phishing attacks before issuing the alert. However, the domain is still reachable, redirecting to the official FINRA website.

Since the domain is not connected with FINRA, member brokerage firms are advised to delete any emails received from this domain immediately.

"FINRA reminds firms to verify the legitimacy of any suspicious email prior to responding to it, opening any attachments or clicking on any embedded links," the regulator adds.

"For more information, firms should review the resources provided on FINRA's Cybersecurity Topic Page, including the Phishing section of our Report on Cybersecurity Practices - 2018."

Previous FINRA phishing alerts

While FINRA rarely issues such regulatory notices, the regulator has published four of them last year, with two of them informing of phishing attacks targeting brokers' information.

The most recent of them, issued in March, notified U.S. brokers of an ongoing phishing campaign using fake compliance audit alerts to steal information.

Another one, published in December 2020, warned brokers of similar phishing attempts using another domain (invest-finra[.]org) spoofing a legitimate FINRA site.

In October, the stock market regulator alerted member firms of widespread phishing attacks using surveys explicitly designed to harvest sensitive information from targeted brokers.

FINRA also warned of threat actors using a copycat site hosted at finnra[.]org with a fake registration form used in spear-phishing attacks directed at brokers.