Active Phishing Campaign Impersonating FINRA and the SEC

  • Cyber Alert
  • Artificial Intelligence (AI), Cybersecurity, Phishing
  • Aaron Pinnick

On March 26, 2026, ACA became aware of an active phishing campaign targeting FINRA and SEC-registered financial services firms and advisers. While the scope of the phishing campaign is not yet known, multiple ACA clients have reported receiving messages claiming to be from contacts at FINRA or the SEC.

All firms should be on high alert for suspicious or unexpected messages claiming to be from the regulators.

Phishing Email Examples

While there is some variation in the text of the emails, the messages have a few common elements, including:

    • The sender’s email address includes an additional domain added after the appropriate “.gov” or “.org”. While these additional domains have varied, please note that legitimate messages from FINRA or the SEC will not include additional “.com” domains.
    • The messages contain two “pretexting” asks that are being used to create trust in the message and legitimize the sender. These include:
      • The recipient is asked to reply and confirm their email address to enable future secure communications.
      • The recipient is asked to provide their availability for a Teams discussion with the SEC or FINRA. This likely indicates that the attacker can use AI to realistically impersonate a member of FINRA or SEC staff in the call.
A sample message is included above.

Immediate Action Needed

Firms should ensure their employees are made aware of the threat as soon as possible and are ready to react appropriately.

If an employee receives an unexpected email, like the sample email above, they should:

  • Not click any links in the email or open any attachments. Immediately escalate the issue to the firm’s IT team.
  • Not respond to or reply to the email.
  • Be wary of unexpected meeting requests, and be aware of the risks of deep fakes or AI-powered impersonation on video calls.
  • Confirm the validity of the email by contacting a trusted SEC representative using verified contact information. Do not use the details provided in the suspicious email. Instead, refer to the contact information listed on the SEC’s website or from another reliable source your firm already uses.
  • Reach out to trusted cyber advisors to alert them of the issue and seek further guidance.

It is also important to educate employees about the dangers of phishing attempts, as well as the precautions to take. All employees should be reminded to:

  • Never trust the “From” field in an email. Always check the email address itself and don’t rely on the sender’s name alone.
  • Do not download attachments from an unsolicited source.
  • Be cautious of alarmist email subject lines (e.g., “urgent”, “transfer”, “request”, etc.).
  • Create bookmarks for frequently-visited websites to avoid visiting fake websites.
  • Contact your IT department when in doubt about unknown and suspicious emails or links.
  • Validate email requests with callbacks to a contact you have on file or visit a legitimate website to find a callback number.

If your firm needs help navigating current cybersecurity risks, we’re here to help.

Explore Our Solutions

ACA Aponix® provides cybersecurity services to help organizations defend against cyber threats such as phishing, including:

  • Employee security training to educate all staff on industry best practices, cyber trends, and emerging threats.
  • Phishing testing to deploy a targeted email campaign to test employees’ ability to identify and handle phishing threats.
  • Penetration testing and vulnerability assessments to identify network vulnerabilities that can help reduce the risk of a breach and associated financial, operational, and reputational losses.

Contact a cyber advisor for questions regarding this phishing campaign and to protect your firm today.

Contact Us
Contact
Contact