Cybersecurity Alert – Ongoing Phishing Campaign Impersonating FINRA Executives
IMPACT: All Firms
FINRA member firms should be aware of an ongoing phishing campaign involving threat actors targeting executive employees at broker-dealers and investment advisors with fraudulent emails purporting to be from FINRA executives. The campaign began on or around May 21, 2025. These emails are not from FINRA, and firms should delete them and consider blocking the indicators of compromise contained at the end of this alert.
Fraudulent Email Example
The primary domains used in this campaign include the following, the first of which may be visible in the from field or when hovering over the sender name:
- membership-finra[.]org
- memberships-finra[.]org
The following is an example of the text within the body of the phishing email:
This email is to request an update to our current records of your firm's information with FINRA.
As part of our adherence to regulation, we are refreshing these details to ensure continued accuracy and efficiency in our data maintenance.
Kindly provide us with your most current information by completing the request template included with this email. Please ensure all relevant firm information is included.
Your prompt attention to this refresh will help us maintain seamless processing of our data.
If you have any questions, please reach out to me.
Thank you,
[FINRA Executive’s First Name]
[Email Footer: FINRA Executive’s First Name]
[FINRA Executive’s Title]
FINRA
1700 K Street, NW
Washington, DC 20006
Recommended Actions
- Immediately delete any emails from these domains or with similar content.
- Block these domains at your email gateway and firewall:
- membership-finra[.]org
- memberships-finra[.]org
- Alert your staff to watch for emails claiming to be from FINRA executives requesting firm information.
- Verify all FINRA communications through official channels (e.g., confirming delivery from a FINRA email domain or contacting your firm’s Risk Monitoring Analyst) before responding.
- Report any incidents where these emails may have been responded to or where information was provided to the sender.
Technical Details
The impersonated phishing emails allege that FINRA executives are attempting to collect and update firm information by completing a request template. However, the phishing emails FINRA analyzed did not include any attachments. FINRA staff believe that the threat actors included this language to elicit a response from recipients.
FINRA analyzed a sample of the phishing emails and identified that the threat actors used different domains in the "From" and "Reply-To" fields:
- From: membership-finra[.]org
- Reply-To: memberships-finra[.]org (may not be readily viewable unless examining full email headers)
Both domains utilize several mail servers at Google and Microsoft, as well as a misconfigured outlook domain for the spearphishing campaign. The email headers revealed the threat actor used an Amazon EC2 instance1 to conduct the spearphishing campaign with Google's Gmail API2 named 'gmailapi.google.com', likely to automate sending bulk emails.
A review of the sample emails supports the bulk email campaign theory, since all emails used the same text with different variables in the following fields:
- Recipient email address
- Recipient name
- Subject of emails
- From email address
- From name at the end of the email body
- From name in the email signature block
This behavior suggests the threat actors leveraged lists to programmatically rotate the variable fields.
The threat actor created a rudimentary decoy webpage for membership-finra[.]org that appeared to be in the initial stages of development. The site contained misconfigured and outdated Google Universal Analytics cookies or tags, deprecated by Google in 2024.3
The phishing emails and indicators of compromise are not connected to or endorsed by FINRA. Firms should delete all emails originating from these domains and consider blocking the indicators of compromise at the firewall.
Member firms should be aware that they may receive similar phishing emails from other domain names as the threat actors may rotate domains or associated infrastructure, in addition to those identified in this Alert.
FINRA reminds firms to verify the legitimacy of any suspicious email prior to responding to it, opening any attachments or clicking on any embedded links.
FINRA is working with the appropriate providers and have reported the event.
Indicators of Compromise
| Indicators to Block | Note |
|---|---|
| membership-finra[.]org | Imposter Domain Used in From Email Address |
| _gat_gtag_UA_26575989_44 | Google Analytics tag |
| memberships-finra[.]org | Imposter Reply To Domain |
| membershipsfinra-org02i[.]mail[.]protection[.]outlook[.]com | MX domain associated with MX record for memberships domain |
Indicators Observed On Shared Hosting, Observed 05/20/2025, Shared For Situational Awareness
| Indicator | Note |
|---|---|
| 108[.]177[.]96[.]26 | Mail server at Google on ASN 15169 on membership site |
| 108[.]177[.]96[.]27 | Mail server at Google on ASN 15169 on membership site |
| 108[.]177[.]119[.]27 | Mail server at Google on ASN 15169 on membership site |
| 173[.]194[.]69[.]26 | Mail server at Google on ASN 15169 on membership site |
| 173[.]194[.]79[.]27 | Mail server at Google on ASN 15169 on membership site |
| 2a00[:]1450[:]400c[:]c00[::]1a | Mail server at Google on ASN 15169 on membership site |
| 2a00[:]1450[:]400c[:]c07[::]1b | Mail server at Google on ASN 15169 on membership site |
| 2a00[:]1450[:]400c[:]c0c[::]1a | Mail server at Google on ASN 15169 on membership site |
| 2a00[:]1450[:]400c[:]c0c[::]1b | Mail server at Google on ASN 15169 on membership site |
| 52[.]101[.]11[.]3 | Mail server at Microsoft on ASN 8075 on memberships site |
| 52[.]101[.]41[.]6 | Mail server at Microsoft on ASN 8075 on memberships site |
| 52[.]101[.]41[.]22 | Mail server at Microsoft on ASN 8075 on memberships site |
| 52[.]101[.]42[.]14 | Mail server at Microsoft on ASN 8075 on memberships site |
| 2a01[:]111[:]f403[:]c902[::]2 | Mail server at Microsoft on ASN 8075 on memberships site |
| 2a01[:]111[:]f403[:]c946[::]5 | Mail server at Microsoft on ASN 8075 on memberships site |
| 2a01[:]111[:]f403[:]f805[::]1 | Mail server at Microsoft on ASN 8075 on memberships site |
| 2a01[:]111[:]f403[:]f902[::]1 | Mail server at Microsoft on ASN 8075 on memberships site |
| 3[.]93[.]139[.]220 | Imposter Sender IP |
| ec2-3-93-139-220[.]compute-1[.]amazonaws[.]com | Imposter EC2 instance |
| 2607[:]f8b0[:]4864[:]20[::]1130 | Google Sender IP |
For questions related to this Alert or other cybersecurity-related topics, contact the FINRA Cyber and Analytics Unit (CAU). In addition, the FBI and CISA urge you to promptly report phishing incidents to a local FBI Field Office, the FBI Internet Crime Complaint Center (IC3) at IC3.gov, or CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).
Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Alert in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some questions may not be relevant due to certain firms’ business models, sizes, or practices.
1 An Amazon Elastic Compute Cloud (EC2) instance is a virtual server that offers cloud computing, networking, and storage for a variety of use cases.
2 Application Programming Interface (API), is a system access point or library function that has a well-defined syntax and is accessible from application programs or user code to provide well-defined functionality.