Skip to content
Compliance & Risk

How investment advisers can identify and respond to email phishing campaigns

Jason Wallace  Senior Editor / Thomson Reuters Regulatory Intelligence

· 5 minute read

Jason Wallace  Senior Editor / Thomson Reuters Regulatory Intelligence

· 5 minute read

Phishing campaigns are plaguing investment advisers just as they implement their business continuity plans in response to the COVID-19 pandemic

Just as investment advisers had to prepare and activate their business continuity plans in response to the COVID-19 pandemic, advisers must also take steps to combat increasing cybersecurity threats.

Scammers continue to ramp up email phishing campaigns, even using counterfeit email addresses to impersonate the Financial Industry Regulatory Authority (FINRA). A successful phishing attack can cripple a firm’s ability to conduct business and leave a firm’s most confidential information defenseless.

Therefore, a plan that offers advisory representatives the tools to identify phishing emails and a strategy to investigate the incident — whether it was successful or not — is essential and can be utilized to better prepare for any ongoing threats.

Phishing scams

Phishing scams are ever-changing and are designed to infiltrate the computer network of the recipient and gain information that should be protected.

A firm’s email administrator or system may not always identify these types of emails, therefore firm associates must be able to recognize them before any action is taken. In many cases, once the sensitive information is given to the scammer, they will then have access and be able to use account numbers, passwords, usernames, and more to commit fraud. A successful phishing campaign can also use the information obtained from an adviser to ultimately reach out to its advisory clients with the hope of extending the phishing scam.

A phishing email can also insert a virus or malware code into the firm’s system, rendering it unusable. Often, the only way for the user to regain access may be with a ransom payment to the scammer.

FINRA alert

In early June, FINRA issued an alert to its member firms of an ongoing phishing campaign that involves fraudulent emails purporting to be from FINRA and using the domain name “” The phishing email asks the recipient to click a link to “view request” and provide information to “complete” that request, noting that “late submission may attract penalties.”

FINRA requested the internet domain registrar to suspend the services of the domain that the scammer was using and suggested that anyone who clicked on any link or image in the email notify their firms immediately.


These kinds of email phishing scams are aimed at firms’ associates, presumably the weakest link in the defense against cyber-crime. Thus, the proper training of associates, whether frontline or internal, is key to defending against phishing email attacks.

Indeed, associates and employees at all levels should be made aware of the signs of a phishing scam, which may include:

      • An email that does not use the individual’s name — For example, if a bank or brokerage firm was notifying an individual of an issue, the firm would know and use the customer’s name;
      • A request to download software upgrades via email — This is especially important as many advisery employees are working from home or on a hybrid schedule and could be easily deceived into believing a software download could enhance the remote working An individual should always check directly with the firm before making any software upgrades or accessing downloads;
      • The sending email name does not match the sender — An employee must ensure the sender’s email in the header matches the display name;
      • An unsolicited or unexpected email that contains grammatical or spelling errors, unnecessary capitalization, and poor sentence structure — A firm individual must be weary of attachments or links in these emails as well. An unexpected attachment or prompted download can inadvertently install malware or ransomware; and
      • An email with a link prompting the individual to open it before further information is released — An individual can always hover over the link to check the URL and see if it seems legitimate. However, it’s always best policy to open a new browser tab and manually search and access the link in a separate personal browser.

Response plan

If a phishing email is suspected, a firm should have a comprehensive plan to investigate the authenticity and any possible impact on the firm and its systems. However, the basis of a successful plan centers on ensuring that employees alert the compliance department immediately when a phishing email is suspected, a step that is best supported with proper ongoing employee training.

There are some steps a firm may consider taking to help manage the response and ultimately determine overall impact. These steps include:

      • obtaining a copy of the email with full headers and any original attachments;
      • attempting to determine who sent the email;
      • questioning individuals who may have been subject to the phishing email and gather details of the processes that were required by the scam. Firms may suggest individuals remotely wipe their computers, disconnect devices from the internet, reset passwords, and perform anti-virus scans;
      • taking further steps to adjust perimeter email filters in order to block similar messages; and
      • determining whether the intervention of a cybersecurity professional is required. An expert may be able to determine what data was stolen and whether the scammers were able to enter areas of the firms’ private network as well as which users received the message.

A cybersecurity firm may also be able to identify if clients were sent phishing emails that may appear to be from the adviser. If it is determined that clients have been affected by the attack or were subject to phishing emails, the adviser must take additional steps to promptly notify clients and regulators of the breach. Additionally, a cybersecurity expert may be able to see if the scammer is still in the system or has left an opening for future attacks.

More insights