Cybersecurity Advisory – Social Engineering Attempts Impersonating FINRA

Impact: All Firms

As we approach the end of the first quarter of 2024, FINRA’s Cyber and Analytics Unit (CAU) proactively warns member firms of continuing social engineering campaigns involving fraudulent representations of individuals purporting to be FINRA representatives. As with many types of social engineering campaigns, threat actors may use website domain names (sites) that are similar to FINRA.org (e.g., Finra-latam.org, finra.world, finra.eu), fraudulently use FINRA’s logo or purport to be legitimate FINRA employees. These domains and individuals are not associated with FINRA. 

Threat actors may impersonate FINRA staff to request documents or filings from member firms, including annual reports and regulatory filings that are generally submitted to FINRA this time of year. Firm personnel should follow any internal procedures for reporting phishing emails to the appropriate stakeholders. When FINRA becomes aware of these fraudulent domains and individuals impersonating the organization, FINRA submits requests to suspend services for the impersonation sites, supporting our mission to enhance investor protection and market integrity. 

FINRA observed that many of the reported sites impersonating FINRA or FINRA staff leveraged end-to-end encrypted communication platforms to communicate with victims. FINRA staff will not request documents or information from member firms or investors via social media or off-channel communication platforms. FINRA staff also will not promise to assist in recovering losses or guarantee an investment return in exchange for a fee paid to FINRA in advance. 

FINRA reminds firms to verify the legitimacy of any suspicious email prior to responding to it, opening any attachments or clicking on any links. Given that more complex attacks, such as ransomware attacks, often begin with social engineering as an initial access point, the importance of training to increase employee awareness of this type of threat actor activity continues to be an important aspect of a comprehensive cybersecurity program

These social engineering campaigns may be reported to FINRA by contacting the firm’s Risk Monitoring Analyst or by filing a regulatory tip. When campaigns impersonating firms or associated persons are identified, firms may take the following steps to report incident(s): 

• Report the campaigns to state and local law enforcement and regulatory agencies. 
• Notify the Federal Bureau of Investigation (FBI) via the nearest FBI field office or by filing a complaint with the FBI Internet Crime Complaint Center (IC3.gov).
• Notify the Securities and Exchange Commission (SEC). 
• File a complaint with the hosting provider and domain name registrar to request the site be taken down.
• Warn investors of the impersonation scam via posts to the firm’s website or direct emails.  

Information related to impersonation scams that may be useful to firms and investors can be found on FINRA’s Cybersecurity Key Topics Page, including the following publications:

• Investor Insight Investor Alert: Social Media ‘Investment Group’ Imposter Scams on the Rise (January 11, 2024)
• Investor Insight Don’t Fall for 'Regulator' Imposter Ploys (August 4, 2022)
• Investor Insight Beware of Broker Imposter Scams (July 27, 2021)
• Regulatory Notice 20-30 (Fraudsters Using Registered Representatives Names to Establish Imposter Websites)
• Information Notice – 4/29/19 (Imposter Websites Impacting Member Firms)

Questions related to this Alert or other cybersecurity topics can be emailed to the CAU.