The proliferation of "website spoofing" has apparently spread into the FINRA member firm community, which prompted the publication of "Imposter Websites Impacting Member Firms" (FINRA Information Notice / April 29, 2019) http://www.finra.org/sites/default/files/notice_doc_file_ref/Information-Notice-042919.pdf As reported in part in FINRA's Information Notice:
[A]n imposter website typically is designed to mimic a
member firm's actual website to obtain existing or potential clients' personally
identifiable information (PII) or login credentials, which the website sponsors
subsequently use to engage in financial fraud. Malicious parties have been
targeting member firms regardless of whether those firms have an existing
online presence. In some cases, they have also created email domains and
accounts to correspond to the imposter websites. While this is not a new
attack strategy, FINRA has observed that the frequency of such attacks on
broker-dealers may be increasing.
As noted in the FINRA Information Notice, imposter websites are not new. For many years, spoof websites have appeared in forms that use a similar URL to one already used by the targeted site; for example, www.MerilLynch rather than www.MerrillLynch. Variants on that theme include the use of shadow or cloaked versions of the targeted site. For an excellent primer on the most popular forms of website spoofing and how to detect them, watch:
In attempting to offer its member firms some guidance on how to detect attempts to spoof their sites, the FINRA Information Notice offers the following actions that can be taken to deactivate the imposter sites [Ed: footnote omitted]:
Report the attack to local law enforcement, the nearest Federal Bureau of Investigation
(FBI) field office or the Bureau's Internet Crime Complaint Center, and the relevant
state's Attorney General via their websites or, if possible, a phone call.
Run a "WHOis" search (www.whois.net) on the site to determine the hosting provider
and domain name registrar associated with the imposter website (which may be the
same organization in some instances). In some cases, this site also provides relevant
Submit an abuse report to the hosting provider or the domain registrar asking them to
take down the imposter website. Keep the pressure on these providers with repeated
calls or emails, or, if necessary, seek the assistance of an attorney, cybersecurity
specialist or consultant.
Seek the assistance of a cybersecurity specialist attorney or consultant who deals
with this type of fraud as they may have some law enforcement or hosting provider
contacts or potential legal or other steps not outlined above.
Notify the U.S. Securities and Exchange Commission (SEC), FINRA or other securities
or financial regulators.
Consider posting an alert on your website and sending email notifications to warn
clients of the imposter website(s) and the associated URL(s). Report the attack to local law enforcement, the nearest Federal Bureau of Investigation (FBI) field office or the Bureau's Internet Crime Complaint Center, and the relevant
Bill Singer's Comment
First and foremost, compliments to FINRA for issuing a timely and useful notice. As the FINRA Information Notice warns, the frequency of website attacks targeting the FINRA member community appears on the upswing. I know from my own conversations with clients and colleagues that there is increased activity. Oddly, just before I authored this article, I attempted to log onto an industry consultant's website and found it had been hijacked to promote a pill mill.
The only critique I would offer FINRA is that it should have created an online video similar to the one that I used above and embedded that into the FINRA Information Notice. FINRA has a penchant for producing and posting a lot of crappy videos -- many of which are self-promotional and boring. Here was a perfect opportunity to produce a useful video about a pernicious threat to the industry. FINRA should better utilize its video capabilities to educate its members, their associated person, and industry customers.