FINRA warns US brokers about recent phishing attacks

Phishing scam

FINRA, also known as the Financial Industry Regulatory Authority of the United States has issued warnings to all financial service providers in the country stating that phishing emails have been sent to every company in FINRA’s name.

The emails were demanding information as if FINRA was preparing for an update to its conduct and supervisory rules. The deadline provided to fill the survey was the 13th of October, meaning the firms had just one week to gather all of the information. Usually, in such cases, FINRA would issues a warning much earlier so that firms have sufficient time to prepare for the survey or any type of information disclosure.

The phishing attack was well-designed as well. The email was masked skillfully and requested information that FINRA may actually request and has the right to request from firms. However, the clear discrepancy in the email address gave the scam away.

The email sent was from the following domain: which could easily be mistaken for a real email address. However, the giveaway was before the domain, the scammers placed info5 which is always a dead giveaway during fake emails. But, there is still some concern about several companies foregoing the double-check and still sending information.

All too common in finance

Phishing attacks are all too common in finance, especially in the United States where the risk/reward ratio for these types of attacks is much higher than anywhere else. Furthermore, it may be a bit easier for the scammers to pose as actual regulators considering the number of such governing bodies. For example, a phishing scammer can send an email through FINRA, the SEC, the CFTC, and even the IRS. It’s quite dangerous considering how many different angles can be taken.

Who is the most vulnerable?

In terms of vulnerability, there is a very big difference between customer damage and company damage during phishing attacks. Naturally, the company will have to compensate all of their customers should something happen to their assets, but this compensation could take months if not years. Although the company may go bankrupt it needs to be noted that most people who have assets entrusted there could lose everything as well.

The biggest issues that could be caused in particular are with customers using automated software for their services. This is mostly the artificial intelligence designed to trade for the customers themselves.

This is also particularly dangerous for currency traders due to market volatility. For example, most automated robots for currency trade are designed to open and close dozens if not hundreds of trades during the day as long as there is profit to be found. Because of interference from any type of cyber attack from a third party on company servers, there could be a malfunction in the robot’s algorithm causing it to make wrong decisions on almost every trade, thus taking away the leverage of traders to demand compensation from the company.

It has happened before, when a small attack on broker servers disrupted the algorithm’s sequence flow, causing massive losses to customers. When confronted with this, all the companies had to do was claim that traders didn’t take necessary precautions, and it was enough evidence to get them out of compensation liability.

This is one of the main reasons why brokers are now forced to disclose information about potential technical issues with robots to their customers and advise the activation of take-profit and stop-loss orders so that things like this don’t repeat in the future.

This particular attack

Naturally, you may be thinking why would a phishing scam want private information from service providers. It’s not like they can do anything with revenue reports and KYC appeasement right? Well, turns out that there may have been a completely different plan behind this. The phishing email contained several links to external pages, causing doubt as to what the hackers were after.

It’s obvious that most of them wanted some kind of access to the company systems, but not directly. You see, most hackers when they get access to a specific system, don’t immediately take action. Why? Because the security software is usually fast enough to detect unauthorized activity and report it to the company technicians. What hackers usually do is gain access to the system, and leave a backdoor that allows them unhinged access whenever they want. This type of change in the system’s code-base is usually not reported by the software and needs to be found manually. This may take days to discover, thus giving hackers a window of opportunity.

That is why FINRA is now recommending all the companies who received the email, that regardless of opening it or clicking some link, to refer to their technicians and conduct a complete troubleshoot.

It’s too optimistic to think that there was nothing the hackers gained from this email, therefore it’s still recommended to double-check.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.