FINRA is telling brokerages to be on guard for phishing emails supposedly sent from executives at the regulatory agency but likely coming from hackers looking to steal their data for nefarious purposes.
The broker-dealer industry's self-regulator issued a
The scam emails direct recipients to click on an attached letter and respond with requested information "at your earlier convenience." FINRA says in its cyber alert that it does not use the domain "data-finra.org" and that anything coming from such an address should be deleted immediately.
Scott Lamont, the managing director at the industry consulting firm F2 Strategy, said the email bears many of the classic marks of a phishing scam. Phishing refers to a type of cyberattack in which hackers impersonate legitimate companies and agencies in emails, texts and other messages in order to get recipients to hand over data that can be used for fraud or other nefarious purposes.
The attacks are often crippling to their victims. New York City, for instance, had to take part of its
READ MORE:
Lamont said that the emails FINRA is raising red flags about remind him of similar messages the
Anxieties about agency scrutiny tend to run high in the heavily regulated world of financial services, Lamont said. He said one giveaway that the emails purporting to come from FINRA are fraudulent is their request that recipients respond by clicking on a link.
"The government doesn't just come out of the blue like this," Lamont said.
Cybersecurity has become a top priority for
One would give wealth managers 30 days to notify clients of any data breach that's likely to be "used in a manner that would result in substantial harm or inconvenience." The proposal cites FBI statistics showing a steep rise in cyberattacks. The law enforcement agency's Internet Crime Complaint Center received 847,376 complaints in 2021, a number up 181% from 2017.
Of the reports from 2021, 51,629 concerned identity theft, up 193% from 2017. And 51,829 were about personal data breaches, up 68%.
Lamont said phishing remains one of the hardest types of scams to guard against. No matter how good a firm's email filter might be, there is also a chance a fraudulent email will get through the net and an unwary employee will click on it.
"They have to open that door just a crack and then, from the inside, they can access all your data," Lamont said.
Tiffany Magri, the senior regulatory compliance advisor at the consultant Smarsh, agreed there is no foolproof way to eliminate risks from phishing attacks. The best means of reducing the chances of disastrous errors is to remind employees through regular training sessions that they should be extremely wary of clicking on anything in an email.
"You should be questioning your own thoughts and realizing, 'Nobody from FIRNA is going to be directly emailing like me, especially if they are in the compliance or legal department,'" Magri said. "This is what you should be pointing out in your cybersecurity training."
Magri said one good way to check the bona fides of a suspect email is to reach out to the agency that supposedly sent it.
Brian Edelman, the CEO of the
CISA recommends firms that want real peace of mind consider going beyond that and giving their employees physical "security keys" — sometimes USB drives — that have to be inserted into a work computer before it can be opened.
Edelman said having any kind of multifactor authentication, or MFA, is better than having none.
But if you're dealing with a lot of private client data, he said, "You should consider advanced MFA."
Kris Lau, the managing director of the compliance consultant ACA's cybersecurity division ACA Aponix, said some hackers will steal data from a firm so they can impersonate it and use fake websites to elicit more private information from clients. Others will simply take it to the "dark web," or places online where illicit activities are conducted, to see what price it might fetch.
Besides training employees and adopting good cybersecurity systems, Lau said, the best way firms can combat phishing is to simply let authorities know when they've been the target of an attack. FINRA's cyber alert directs recipients of seemingly fraudulent email to the agency's
"Collectively, if we identify a bad domain and report it to a regulatory organization, we will help greatly cut down on the success rate of these," he said.
