RIA Compliance Blog
FINRA has alerted its Member Firms to be on the watch for a fraudulent phishing email scheme targeted at compliance personnel. A phishing scheme typically uses email or some other type of electronic message to trick the recipient into clicking a malicious link or infected file attachment by mimicking a message from a trustworthy party. This particular scheme employs an email purportedly originating from an Anti-Money Laundering compliance officer at an otherwise apparently legitimate Indiana-based credit union. The email—which was received recently by a number of FINRA Member Firms—specifically targets compliance personnel by appearing to be a communication regarding an attempted transfer of money by a client of the recipient’s firm to the credit union which has been placed on hold due to concerns about potential money laundering. The scam is designed to get the recipient to open an attachment, which, according to FINRA “likely contains a malicious virus or malware designed to obtain unauthorized access to the recipient’s computer network.”
FINRA noted the following additional aspects of the fraudulent email that recipients should be alert for:
- An otherwise legitimate reference to a provision of the USA Patriot Act allowing financial institutions to share information with each other.
- An actual email address that appears to be from Europe, rather than the U.S.-based credit union.
- Numerous instances of poor grammar and sentence structure.
This warning from FINRA reminds us of the advice that we give to clients on this topic, foremost of which is to NEVER click links in emails, or open attachments, prior to verifying the sender’s identity. Additionally, always pay attention to the true sender of the email. Phishing emails oftentimes attempt to “spoof” a familiar address. Always look to see that the email address domain matches the purported sender. For example, in the case noted by FINRA above, the true sender had a European-based domain, which plainly contradicted the sender’s alleged identity as an Indiana-based credit union employee.
Unfortunately, phishing scams targeting or impersonating securities industry players is not uncommon. Recently, the SEC warned of an SEC-themed phishing campaign purportedly containing information about changes in EDGAR filings. Similarly, that phishing scam also attempted to trick recipients into opening an attachment containing malicious code that would allow the scammer to obtain unauthorized access to the recipient’s computer and/or network.
Notably, the SEC has published a helpful guide on phishing, detection methods, and tips for protection entitled “Phishing” Fraud: How to Avoid Getting Fried by Phony Phishermen, which may be viewed on the SEC’s web site. That publication makes the point that the best way to protect against phishing scams is to understand what practices legitimate senders will and will not employ, noting, for example that “legitimate entities will not ask you to provide or verify sensitive information through a non-secure means, such as email.”
Parker MacIntyre strongly urges its investment advisory and brokerage clients to proactively provide training and education to all firm personnel in connection with phishing scams, and other aspects of cybersecurity. Indeed, such measures should be an integral part of a firm’s compliance policies and procedures. Further, as with any other aspect of compliance, we encourage firms to establish testing protocols in order to validate the effectiveness of these procedures. For example, there are third-party services that provide test phishing emails so that you can see how well your employees perform in scenarios created by you. This will help you to pinpoint who needs additional training, and, at a higher level, determine the extent to which further education is required by the firm.
Parker MacIntyre provides legal and compliance services to investment advisers, broker-dealers, registered representatives, hedge funds, and issuers of securities, among others. Our regulatory practice group assists financial service providers with complex issues that arise in the course of their business, including compliance with federal and state laws and rules. Please visit our website for more information.