These emails have a source domain name “@broker-finra.org” and request immediate attention to an attachment relating to the recipient’s firm. The domain of “broker-finra.org” is not connected to FINRA and firms should delete all emails originating from this domain name. In addition, FINRA has requested that the Internet domain registrar suspend services for "broker-finra.org".
In at least in some cases, the scam emails do not actually include the attachment, in which case they may be attempting to gain the recipient’s trust so that a follow-up email can be sent with an infected attachment or link, or a request for confidential firm information.
In other cases, what appears to be an attached PDF file may direct the user to a website which prompts the user to enter their Microsoft Office or SharePoint password. FINRA recommends that anyone who entered their password change it immediately and notify the appropriate individuals in their firm of the incident.