A warning has been issued about an active phishing campaign targeting financial firms and advisors registered with the Securities and Exchange Commission.
According to Financial Advisor, the attack was reported by compliance consulting firm ACA, which said multiple ACA clients have reported receiving messages falsely claiming to be sent by SEC chief information officer David Bottom. ACA said it became aware of the matter June 24, and it has advised all firms to be on high alert for suspicious or unexpected messages claiming to be from the SEC official.
ACA said the phishing campaign appears to be highly coordinated, and while there is some variation in the text of the emails, they seem to have a few common elements:
-The sender’s email address includes “virumail[.]com” after “sec.gov.” Virumail is not a legitimate or secure file transfer service, and it is commonly used in phishing attacks to spoof legitimate email addresses. Legitimate messages from the SEC do not include this in the email address.
-All messages claim to be from David Bottom, the Chief Information Officer at the SEC, though some messages truncate his last name.
-The messages ask the recipient to reply and confirm their email address to enable future secure communications. “This is a common form of “pretexting” that is used in phishing scams to verify active contacts and build trust in future interactions,” ACA said. “Since this message was benign, the recipient is more likely to interact with the next message, which will likely redirect to a harmful site, trick them into downloading malware, or result in some other harm.”
ACA advised registered investment advisors to ensure their employees are made aware of the threat as soon as possible and are ready to react appropriately.
ACA offered the following security checklist for RIAs:
– Warn employees now about this specific phishing campaign.
– Instruct employees not to respond to, click on or open anything in a suspicious email. Instead, have employees seek help from your firm’s IT or compliance team.
– Never use the contact information provided in a suspicious email. Instead, confirm authenticity via verified SEC contact information from sources such as sec.gov or your firm’s pre-approved resources.
– Launch a simulated phishing test to assess staff readiness and improve detection rates.
Among the steps recommended for employees receiving unexpected emails were as follows:
-Do not respond to or reply to the email.
-Confirm the validity of the email by contacting a trusted SEC representative using verified contact information. Do not use the details provided in the suspicious email—instead refer to contact information listed on the SEC’s website or from another reliable source your firm already uses.
-Reach out to trusted cyber advisors to alert them of the issue and seek further guidance.
-Never trust the “From” field in an email. Always check the email address itself and don’t rely on the sender’s name alone.
-Do not download attachments from an unsolicited source.
-Be cautious of alarmist email subject lines (e.g., “urgent”, “transfer”, “request”, etc.).
-Create bookmarks for frequently visited websites to avoid visiting fake websites.
-Contact the IT department when in doubt about unknown and suspicious emails or links.
-Validate email requests with callbacks to a contact you have on file or visit a legitimate website to find a callback number.
Quick action “can help identify system weaknesses to reduce the risk of financial, operational and reputational losses,” ACA said.
The SEC has also issued its own warning about the fake emails, saying, “If you receive a communication that appears to be from the SEC, do not provide any personal information unless you have verified that you are dealing with the SEC.”
The attorneys at Hyman Cotter PC fully understand the regulatory scrutiny financial professionals and their firms face from the various regulators that oversee the financial services industry. We have decades of experience representing clients with respect to examinations, investigations and enforcement proceedings initiated by the SEC, FINRA, state securities regulatory agencies and other self-regulatory organizations. If your firm is facing an investigation from a regulatory agency, please contact Hyman Cotter PC at 312-291-4600 or through our online contact form.
