The Securities and Exchange Commission (“SEC”) has recently noted that there have been reports of malicious emails sent to some EDGAR filers that appear to be part of a phishing campaign that appears to be meant to compromise company network systems and obtain access to non-public information. The malicious emails purport to be communications from the SEC about changes to Form 10-K, and the communications sometimes contain malicious attachments. Clicking on those malicious attachments can result in an attempt to install malware that is specifically designed to obtain unauthorized access to the recipient’s computer and/or network systems to obtain insider information.
The email attacks in question, known as “spear-phishing“, are effective because they are addressed to specific people and appear to be from a legitimate source. In the case of the fake SEC emails, the targets included corporate officials with titles like SEC Reporting Manager and Senior Legal Specialist — the very people, in other words, responsible for securities filings, and who could expect to receive an email from the SEC.
However, you should note that not only has the SEC has not made any recent changes to Form 10-K and has not notified filers that changes have been made, when they do infact contact firms, is is not generically. With that said, any emails purporting to be from the SEC and not confirmed as to a specific person who is aware of current SEC communications regarding the filings of the company, should be deleted, and you should notify the SEC any your network administrator or information security personnel.
The SEC, in its attempt to further educate the general public, has prepared mone information on phishing, detection methods, and tips for protection, which can be found in the SEC Investor Publication, “Phishing” Fraud: How to Avoid Getting Fried by Phoney Phishermen“.