A new phishing scam is targeting financial advisors by impersonating a senior SEC official, underscoring the ongoing risks of cybercrime within the investment industry.
The fraudulent emails claim to be from David Bottom, the SEC's chief information officer, and aim to deceive recipients into confirming their email addresses.
Compliance firm ACA Group issued a warning about the scam last Wednesday, reporting that the emails use a spoofed sender address and pretexting tactics to build trust. The messages read:
“I have been directed to send instructions regarding a request from The U.S. Securities and Exchange Commission. Before proceeding, I would like to confirm if this is the best email address to use for sending these instructions securely.”
Pretexting: A Familiar Tactic
This request is a classic example of pretexting, a phishing strategy that scammers use to identify active accounts and establish credibility. While the emails have yet to reveal their ultimate goal, they could lead unsuspecting advisors to download malware, click on malicious links, or share sensitive information.
The SEC has acknowledged the scam and urges recipients not to respond. Advisors who are uncertain about the legitimacy of SEC communications are advised to contact the agency directly via email at Help@SEC.gov or report suspicious activity to the SEC’s Office of Inspector General (OIG). Advisors can also call the OIG hotline at (833) 732-6441 for assistance.
Widespread Impact and Industry Concerns
ACA Group began receiving reports of the scam on Monday, June 23, according to Aaron Pinnick, senior manager at the firm. The scale of the phishing campaign is unclear, but Pinnick believes it is significant due to the volume of reports ACA has received.
“These phishing emails can always pop up and impersonate the SEC or other regulatory bodies,” Pinnick noted. He emphasized the importance of vigilance when dealing with unsolicited messages that request information, stress urgency, or suggest switching communication channels.
The investment industry remains a prime target for cybercriminals due to its access to sensitive client data and significant financial assets. “Our industry is always going to be a target,” Pinnick added, highlighting the need for continuous awareness and strong cybersecurity practices.
Rising Cybercrime in the Investment Sector
The SEC’s Office of the Investor Advocate reported a dramatic increase in cybercrime across the investment sector. In 2024 alone, reports of securities fraud violations rose by 142% compared to the previous year, with a 51% surge in cases involving impersonators targeting investors.
As phishing schemes grow more sophisticated, financial advisors must prioritize cybersecurity measures to protect their firms and clients. This includes robust email authentication protocols, employee training, and proactive threat monitoring.
Action Steps for Financial Advisors
To mitigate risks, financial advisors should consider the following best practices when dealing with potential phishing scams:
-
Verify the Source: Always confirm the authenticity of emails claiming to be from regulatory agencies, especially if they contain unexpected requests or urge immediate action. Contact the agency directly using official communication channels.
-
Educate Teams: Regularly train employees to recognize phishing attempts and understand the tactics scammers use, such as pretexting or urgency cues.
-
Implement Email Security Measures: Utilize email filtering and authentication tools to block phishing emails before they reach inboxes.
-
Monitor for Suspicious Activity: Stay vigilant for unusual account activity or attempts to breach sensitive systems.
-
Report Incidents: Immediately report suspected phishing attempts to the SEC or other relevant regulatory bodies to help protect others in the industry.
Staying Ahead of Threats
As cybercrime continues to escalate, financial advisors must remain proactive in safeguarding their operations and client relationships. The phishing scam impersonating the SEC is a reminder of the ever-present risks and the importance of staying informed and prepared.
By adopting a culture of cybersecurity awareness and leveraging best practices, advisors can navigate these challenges while maintaining trust and credibility with clients.
