Ironic? Maybe. Embarassing? Definitely!
FCA warns of domain used to phish other FCA-regulated firms… registered by an FCA-regulated firm
On the 28th May, Insurance Age reported that compliance business RWA wrote to its broker clients stating:
“It has been brought to our attention that several of our clients have received emails purportedly from the FCA asking them to complete a compliance questionnaire by 28 May 2020. The FCA has confirmed that this email is a scam. Please do not click on the link provided and do not give out any personal or firm details.”
See the link to the FCA warning here. Attempted email scams are fairly common, but what made this case interesting is who allegedly registered the domain: an FCA-regulated firm.
Finding the source of the issue
A lookup on the domain used in the phishing email “From” addresses reveals that it was supposedly registered on 26th May 2020 by an FCA regulated wealth management business. There are 3 possibilities for what happened:
- The company registered the domain
- The company’s domain registration account was compromised by the scammer
- The scammer was able to create a domain registration account in the name of the company.
Regardless, the incident shows the damage that lax security standards can pose – in this instance, to the wider community. While the firm is NOT hosting or perpetrating phishing, the new domain registered in their name is being used as the “from” address by the criminals trying to defraud the targets of their phishing campaign.
So why would the scammers do that?
Firstly, the domain name specifically resembles the “Gabriel” site on fca.org.uk, used to collect and store regulatory data from firms. This stark resemblance to the official FCA site makes the inbound emails look more legitimate to recipients.
Secondly, the domain registration was validated against the legitimate business by Nominet. This means the domain has legitimacy and is less likely to be blocked by spam or phishing filters – the scammers are piggy-backing on the reputation of the business in whose name the domain was registered.
All in all, this incident is a clear reminder that security isn’t a zero-sum game: businesses don’t benefit when others aren’t secure.
So how can I stop my company being used to enable scams?
We won’t get into the potential regulatory, security & reputational impacts here – suffice to say that we wouldn’t want to have inadvertently enabled this attack, nor to have scammers with access to an account in our name! But we would like to share some tips to prevent this from happening to you.
The first thing you can do is to ensure that ALL of your registered domains are secured from being used to send unauthorised emails, using SPF & DMARC. If you don’t want a domain to send email, you can specify that no-one is authorised to send on its behalf with an SPF record of “v=spf1 -all”, and you can inform recipients to reject any email sent from unauthorised senders with a DMARC record of “v=DMARC1; p=reject; rua=mailto:[email@example.com]”. To find out more about managing your email security, check out our previous blogs.
Secondly, you can ensure that your accounts are secure. That means using multi-factor authentication (MFA; sometimes called 2 step verification) and using unique passwords for each different account you log into. Monitoring if any of your accounts are involved in a data breach by using Have I Been Pwned will also allow you to review the security of any existing accounts.
Finally, monitoring for newly-registered domains associated to your business will alert you to any which have been created without your approval.
At KYND, we’re always happy to help with these and loads of other cyber risks. We make them simple to understand, quick to monitor and easy to prevent. With a simple product that speaks your language, just enter your website name, and we do the rest. To speak to a KYND person, and see a demo of what KYND can do for your business, get in touch.