MAH Advising on Phishing – Posing as FINRA with Email AlertsCrelano@mahadvising.com
MAH Advising on Phishing – Posing as FINRA with Email Alerts
The concerns with phishing grew recently, and some shared the warnings on social media, ensuring that everyone was aware of it. And it seems some financial advisors are one of the targets of these suspicious emails from FINRA that claim to be from the organization. In fact, they are so clever that they use the subject line FINRA Request and the domain even includes “finra.org”. This will make you curious and click the link, which could lead to phishing.
Don’t click any links in the email or call the phone number provided in the email if you receive a similar email. An email sent by this sender is part of a phishing email attempt. Please remove one of these emails from your inbox and be sure to inform your employees as well as instruct them not to click links and to delete such emails if they receive one.
Mah Advising will reach out to FINRA, which will notify us that they have been made aware of the phishing email and that steps are being taken to address it and stop it. According to FINRA, those who receive such emails should have the domain blocked. It is important to note that any FINRA matters, FINRA will never use @gateway-finra.org as its contact address and will only use @finra.org for communication.
We at MAH Advising, we recommend that you should discuss the following best practices with your information security staff and consultants should one of your staff members click a link part of a phishing attack.
- Set up your Plan for Conducting the Incident Response.
- Hire Cyber Security Experts.
- Gather the Clicker(s) for an Interview. Any clickers, as well as your cybersecurity expert, should be asked what they saw and whether anything odd or strange occurred after they interacted with the phish.
- Secure a Copy of the Email. Obtain the full headers of the phishing email from your cybersecurity expert, including the IP routing address that originated the message (this will be a compromised system).
- Mine the Web Using Threat Intelligence. Have your cybersecurity expert perform a sandbox testing and lookup on the URLs and attachments. Don’t click on the link of the malicious website – don’t copy and paste it on your browser.
- Internal Systems Must Be Thoroughly Searched. If you suspect traffic left your network for suspicious IPs or URLs, your cybersecurity expert will need to review firewall logs. In addition, your cybersecurity expert must review DNS and DHCP logs, and ensure that all logs are kept.
- Conduct Checking of Active Sessions. Check for active sessions among the affected users with your cybersecurity expert. You should check the status of your VPN and Citrix connections.
- Mail Server Logs Must Be Reviewed. The cybersecurity expert should log into your mail server to determine which users’ mails were received. Find messages using IDs, IP addresses, From, Subjects, and file attachments to your messages.
- Email Filters Must Be Adjusted. Look in the email for attributes you can filter for the firm’s accounts to prevent other users from falling victim to the same attack.
- Immediately Do a Password Change. When the firm’s supervised persons or clients click the wrong link or provide information in response to a phishing scam, passwords should be changed immediately for all accounts held by the relevant individual(s). Passwords should be unique, complex, long (15 characters), short, and non-dictionary.
- Passwords Must Be Unique. Do not allow the use of the same password across all systems, but do require the use of unique passwords.
- Choose a Lengthy Password. Passwords should be non-dictionary alpha-numeric/alphanumeric along with a minimum of 15 characters or digits (the longer the better). A weak password isn’t acceptable even if you utilize two-factor authentication.
- Issues with Passwords Practices. The password should not contain the word “password” or a derivative such as “passw@rd”. In your password, you should not use your birth date, address, or family members’ names. Refrain from using one simple word password like “monkey” or “football” for example. Passwords should not contain special characters (e.g., @, #, $) except at the beginning or the end. Common password patterns should be avoided.
- Reset Passwords on a Regular Basis. Upon expiration of 120 days, the password needs to be reset. Set calendar reminders if the system does not allow automatic resetting. Public computers are not recommended, and if a password has been entered on this type of computer, then it must be re-entered from a secure device or computer.
- Password Must Be Encrypted. Enforce the use of encrypted password managers and databases. (It is being reported that hackers may be able to hack into encrypted password managers.)
- Accessing Email from a New Device with Two-Factor Authentication. Access your email account from a new device or outside of the network by enabling two-factor authentication. Security experts recommend receiving 2nd factor by special authentication software (e.g., Google Authenticator, Authy, Microsoft Authenticator) rather than by text message because of the possibility that a mobile phone’s SIM might be compromised or the message intercepted. Keeping an eye on your accounts is very important. Clients should regularly review their brokerage, investment advisory, bank, and credit card accounts to make sure no suspicious activity is occurring. Alternatively, you could keep the fraud alert active for a while until you are absolutely sure you’re out of trouble.
It goes without saying that the above list does not exhaust every possible action. That’s just the beginning. A cybersecurity expert can advise you on how to respond if your computer has been compromised by a phishing email.
To learn more about MAH Advising‘s offer regarding the above best practices and techniques for the reader to start a discussion with their IT & information security staff or consultants, set up an appointment today.