On June 24, 2021, the Virginia State Corporation Commission’s Division of Securities and Retail Franchising (the Division) issued an alert to registered investment advisers of an ongoing phishing campaign whereby the attackers claim to be from the Division.
Like most phishing attempts, the email asks the reader to click on a link to view fictitious “IA fee changes.”
These emails resemble other recent attempts by cybercriminals to trick users into clicking on fraudulent emails purporting to be from FINRA and using the domain name “@gateway-finra.org.” Cybercriminals posing as a regulatory authority or other government agencies, like the Social Security Administration, is not a new tactic. However, these can be effective campaigns as the emails are typically written to create a sense of urgency for the reader to click.
The Division and FINRA want to remind advisers to “verify the legitimacy of any suspicious email prior to responding to it, opening any attachments or clicking on any embedded links.”
How do I know it is a phishing attempt?
The Division reminds users:
- The Division has not changed its fees.
- The link ending in .zip is not connected to the Division and advisers should delete such emails without opening them.
- Emails from the Division typically contain the Division’s letterhead and any links should end in “.gov.”
What should I do if I see this email?
- Do not click any links. Clicking may load malware on your computer or have other consequences like data leakage, business email compromise, or ransomware.
- Do not forward the email, which may inadvertently spread the attack.
- Notify appropriate members of your firm that you received the email and encourage others to remain vigilant.
What if I have already clicked?
- Follow your firm’s incident response policy.
- Notify appropriate members of your firm and relevant authorities as needed.
- IT professionals should scan the user’s computer to identify any threats and follow incident response procedures accordingly.
WHAT DOES THIS MEAN FOR ME?
The biggest threat to your network is human error. Training employees to recognize phishing attempts and taking measures to ensure malicious emails never reach end users are two easy ways to secure your network. One wrong click could jeopardize your firm’s data security and reputation.
Because businesses in the financial industry may be more likely to be targeted by phishing, your firm should act now to prevent data compromise. Fairview Cyber can help your firm with essential cyber and data security services like phishing prevention training, network penetration testing, vendor due diligence, and more. Contact us today for more information about our services.