On October 6, 2020, FINRA issued a Regulatory Notice warning member firms of a widespread, ongoing phishing campaign that involves fraudulent emails purporting to be from FINRA asking member firms to complete a survey.
The email, which appeared to be authentic, was sent from the domain “@regulation-finra.org” and was preceded by “info” followed by a number, e.g., email@example.com. The regulator recommended that anyone who clicked on any link or image in the email immediately notify the appropriate individuals in their firm of the incident.
The domain of “regulation-finra.org” is not connected to FINRA and firms should delete all emails originating from this domain name.
SEC registered investment advisers and exempt reporting advisers should take note as FINRA manages and administers the Investment Adviser Registration Depositary (“IARD”). Firms using this web-based interface will be familiar with receiving emails with the domain of “@finra.org”. These include, but are not limited to:
FINRA has reminded firms to verify the legitimacy of any suspicious email prior to responding to it, opening any attachments or clicking on any embedded links.
The SEC has also issued guidance on cybersecurity and phishing for both registered investment advisers and investment companies.
In the regulator’s view, there are a number of measures that funds and advisers may wish to consider in addressing cybersecurity risk, including the following, to the extent they are relevant:
Routine testing of strategies could also enhance the effectiveness of any strategy.
This last point brings home the point that registered investment advisers, investment companies and FINRA-member firms should develop a communications strategy with both their staff, their clients and investors about how the firm communicates, what information is typically requested and the manner in which it is requested, and how the firm does not communicate or request information.
According to Verizon’s 2020 Data Breach Investigations Report, 22% of breaches in 2019 involved phishing.