EXECUTIVE SUMMARY:

Financial industry: Phishing threats

In the last 24 hours, the not-for-profit organization known as the Financial Industry Regulatory Authority (FINRA) reported fraudulent impersonation emails that ask members to share sensitive information or to otherwise face sanctions.

What is FINRA?

The FINRA organization works with 4,250 financial brokerage firms and exchange markets. The group retains 625,000 registered members, states FINRA’s website.

FINRA phishing

FINRA reports that the phisher or phishers are using three or more duplicitous domain names. These include:

• @finrar-reporting.org
• Finpro-finrar.org
• @gateway2finra.org

A phisher or phishers start these emails by requesting for the recipient to click on a link. Once clicked, the new page directs users to send information, “completing” the request. Scare-tactic language is also used on the page, as the phisher or phishers wish to convey a false sense of urgency.

Internet domain registrars have been asked to halt services for the phony domain names used in the phishing scheme. In June, FINRA reported a similarly structured, if less threatening, scheme devised by phisher threat actors.

It’s a trick, send no reply

Experts recommend that anyone who has accidentally clicked on malicious link within a phishing scam report the incident to appropriate local cyber security personnel. The domain names listed above are not affiliated with FINRA. Any employees who see emails containing the aforementioned addresses should avoid clicking. In addition, ‘it’s a trick, send no reply’ reflects a wise mentality to adopt when seeing suspicious email addresses and subject lines.

Phisher threat actor attacks increasing in cost

Phishing attacks not only result in panic and productivity declines. They also force organizations to chew through budgets in unexpected ways. In the past six years, phishing attacks have increased by nearly four-fold. In the US, large organizations lose as much as $14.8 million to phisher attacks or phishing-related clean-up expenses every year.

Phishing scams cost the average large organization in the US $14.8 million annually. Beware of phishers and phishing scams.

By comparison, in 2015, phishing schemes only cost organizations $3.8 million on average, according to a Ponemon Institute study. Therefore, over the course of six years, we have seen a significant escalation in phishing costs.

Phishing costs to watch

One of the most expensive phishing threats to contend with? Business Email Compromise (BEC). These types of attacks skyrocketed in 2020. Phishers deployed more sophisticated tactics than previously, many of which involved impersonation.

Further, phishing attacks can also result in ransomware events. In contending with ransomware, one portion of the expense involved relates to paying investigators and potentially, the hackers. The other portion of the expense comes from lost productivity and clean-up fees.

The table below provides a breakdown of costs associated with phishing schemes:

*Image: Ponemon Institute

Phishy emails by the numbers

According to the Ponemon Institute, the average US business entity of roughly 10,000 employees can lose as many as 63,343 hours of productivity due to a phishing attack. For each employee, as many as 7 hours each year may go to waste on account of externally-developed, phishing-related mischief.

Other key takeaways: Phisher threat actors and phishing

• BEC scams can cost organizations as much as $6 million annually.
• Among large organizations, ransomware attacks cost organizations $5.66 million annually.
• However, security awareness training can reduce phishing threats costs by more than 50 percent.
• If organizations ignore cyber security preparedness, BEC attacks can lead to losses over $150 million.

For more executive insights into phisher threat actors, common phishing attacks, and advanced tips for avoiding them read our latest whitepaper. In addition, check out recent phishing content here. Lastly, subscribe to our newsletter.