Advisors targeted in 'pretexting' phishing scam impersonating SEC

RIAs and other financial service firms have been targeted in a phishing campaign of fraudulent emails claiming to be from David Bottom, chief information officer for the Securities and Exchange Commision (SEC). Compliance consultancy ACA Group told InvesmentNews that four of its clients reported receiving the emails since Monday, June 23, and all recipients were compliance executives at financial firms.

ACA Group shared a copy of the emails, which include the SEC’s Washington, D.C., headquarters in its signature alongside Bottom’s name and title. The sender’s email address is listed as “[email protected][.]com” which ACA Group says is commonly used in phishing attacks. The emails ask advisors to reply and confirm their email addresses, according to a screenshot shared by ACA Group.

SEC-registered investment advisors were among the ACA clients to be targeted in the phishing campaign, as well as a private equity firm and hedge fund.

“What was common amongst them, at least the ones I saw because I went back and looked up ADV filings for the various firms, is they were all on the smaller side with $1 billion or less in RAUM and roughly 10 or less employees,” Aaron Pinnick, senior manager of thought leadership at ACA Group, told InvestmentNews. “That's not necessarily a representative sample of who received it, just who forward those messages to us.”

The SEC is now asking recipients of the fraudulent email to not respond and to file a complaint to the SEC’s Office of Inspector General. In a statement to InvestmentNews, an SEC spokesperson said the agency’s Office of Information Technology notified the SEC’s Division of Examinations’ Cybersecurity Program Office of the phishing campaign, and that division is now in contact with FINRA’s Cyber Unit.

“The SEC’s Office of Information Technology (OIT) is aware of an active phishing campaign involving fraudulent emails that claim to be from agency Chief Information Officer David Bottom and appear to target SEC registrants,” an SEC spokesperson said in a statement. “The messages ask the recipients to reply and confirm their email address to enable future communication. This is commonly known as “pretexting,” a social engineering technique where scammers devise a legitimate scenario and/or use an authoritative figure to gain trust and persuade recipients to divulge sensitive information.” 

An SEC Investor Alert was previously issued in 2021 that details how to detect phone calls, voicemails, emails, and letters that impersonate the regulator. Pinnick explained the initial fraudulent emails impersonating Bottom “isn't really that dangerous,” but warns that responding to the email could lead to more nefarious exposure. 

“What we would expect were to happen would be after you validated your email address with the supposed CIO of the SEC, which obviously wasn't that individual, but after you validated that you would receive some sort of secure file transfer link, download attachment, etc, which, when you interact with that you would get either redirected to a malicious website, download malware or ransomware or some form of malicious code,” said Pinnick.