In early February 2025, a coordinated spear phishing campaign targeted a cluster of Swiss wealth management firms operating in the Geneva and Zurich financial corridors. The campaign was notable for its operational sophistication and its use of impersonated FINMA correspondence as a lure.
The Lure: Regulatory Urgency
Attackers sent personalised emails purporting to come from FINMA, referencing actual ongoing regulatory consultations to add plausibility. Recipients were directed to a credential-harvesting site hosted on a domain registered one week before the campaign — a common technique to evade reputation-based filtering.
Technical Indicators
The phishing infrastructure used compromised Swiss-hosted servers to reduce geographic anomaly detection. The credential harvesting page replicated FINMA's ExtraNet portal with high fidelity. Headers were carefully crafted to pass basic SPF and DKIM checks by exploiting a misconfigured third-party email service.
How It Was Detected
Detection came not through technical controls but through a compliance officer who noticed a discrepancy in the regulatory reference number — it did not match the actual FINMA circular format. A direct call to FINMA's switchboard confirmed the correspondence was fraudulent.
◆ Key Takeaway
Human vigilance remained the decisive factor in this case. No technical control caught the campaign. This underscores why security awareness training — specifically scenario-based exercises involving regulatory lures — is a non-negotiable control for financial services firms.
Defensive Recommendations
Implement DMARC in enforcement mode. Establish a verified callback procedure for all regulatory communications. Train staff specifically on regulatory-themed phishing. Consider deploying a financial sector-specific threat intelligence feed that includes Swiss regulatory body spoofing indicators.