Cybersecurity Alert – Ongoing Phishing Campaign Impersonating FINRA Employees

Impact: All Firms 

Member firms should be aware of an ongoing phishing campaign that involves fraudulent emails purporting to be from FINRA employees, with the goal of tricking the recipient into opening an attachment—potentially exposing the firm to malware or stealing login information. These emails are not from FINRA, and firms should delete them and consider blocking the fraudulent domains from which they are being sent. 

This Alert describes the campaign and includes recommendations to help firms identify the fraudulent emails and mitigate the threat.

Background

Beginning as early as Jan. 22, 2026, an email phishing campaign has been targeting broker-dealers. Fictitious FINRA employees are attempting to coerce recipients into opening an attachment to review “regulatory reporting requirements.” In some instances, member firms reported receiving emails with no attachment included. Regardless, member firms should use caution when opening attachments from unknown email domains and never open attachments from suspicious domains, as they can contain malware or be designed to steal login credentials or other information. 

The campaign included an email from the domain “finra[.]org[.]cazepost[.]com” (brackets added to prevent accidental clicks) with the subject line “Document for Review” followed by the member firm name. The message asked the intended victim to open an attachment to review regulatory reporting requirements. The signature block contained FINRA’s name and its Washington, DC, address.

As a reminder, legitimate FINRA emails will only be sent from the “finra.org” domain. Member firms should delete the fraudulent emails and consider blocking the fraudulent domain (“finra[.]org[.]cazepost[.]com”).

New York Department of Financial Services’ (DFS) regulated entities also appear to have been targeted in a similar campaign. DFS has posted an alert to its website about that scam.

Recommendations to Protect Your Firm

To protect against this email phishing campaign, FINRA recommends member firms:

• alert technology staff to the following indicator of compromise:
  • finra[.]org[.]cazepost[.]com;
• delete emails originating from this fraudulent domain;
• consider blocking the fraudulent domain at the firewall;
• monitor network traffic for activity related to this domain; and
• remain vigilant for variations of this phishing campaign, including changes in:
  • sender name, subdomains and domains;
  • email content and subject lines;
  • file names and attachments; and
  • suspicious hyperlinks contained within emails.

FINRA reminds firms to verify the legitimacy of suspicious emails before responding, opening, downloading or previewing any attachments, or clicking on embedded links. Firms can report phishing campaigns to FINRA by contacting their Risk Monitoring Analyst or by filing a regulatory tip. 

FINRA has requested that the domain registrar and hosting provider suspend services for the known malicious domain.

Both the FBI and CISA urge you to promptly report phishing incidents to a local FBI Field Office, the FBI Internet Crime Complaint Center (IC3) at IC3.gov, or CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

For questions related to this Alert or other cybersecurity-related topics, contact the FINRA Cyber and Analytics Unit (CAU).

Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Alert in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some information may not be relevant due to certain firms’ business models, sizes, or practices.