Hepler Broom, LLC

Fake News: SEC Spear Phishing Scam—Don’t Trust, and Verify

May 3, 2017

It appears to be innocent and routine. The CFO of your company forwards to you an urgent-sounding, personally addressed email from the Securities Exchange Commission’s EDGAR public filing system announcing changes to the reporting system. Last week you signed the attestation of the accuracy of your Quarterly Report on SEC Form 10-Q. You hope you have not made a mistake or missed an important change. You look over the email again. At first glance it appears legit:

 

email supposedly from SEC

 

 

 

 

 

 

Or it might be your worst nightmare: an email from the SEC questioning your firm’s disclosures, revenue recognition treatment, or internal controls on access to non-public information. The Commission Seal looks imposing. The email attaches an official-looking Word document requesting some basic information. It all looks real. You decide you better open the attachment and plan your response.

Turns out, it’s a fake email —not from the SEC at all but from an impostor. (It’s likely from a criminal syndicate in Eastern Europe seeking access to your network to gain access to material non-public information in order to profit from stock trades guided by access to inside information.)

On March 7, 2017, Fortune magazine reported that a number of public companies received well-crafted but bogus emails that appeared to announce regulatory compliance changes from the Securities and Exchange Commission (SEC). According to Fortune, FireEye (a security company) intercepted suspicious emails targeted at companies in sectors ranging from transportation to banking to retail. FireEye reports that numerous company officials opened the Microsoft Word file attached to these emails and exposed their networks to insidious malware.

Opening the Word attachment granted the intruders wide access to internal corporate networks. The attackers’ gambit is a classic example of “spear-phishing“—emails from an apparently legitimate source directed to specifically identified and targeted people likely to receive the type of communication involved. Here the emails were sent to readily identifiable corporate officials with responsibilities relevant to SEC reporting. It might be unusual but not surprising for these corporate officials to receive regulatory reporting change announcements from EDGAR.

Sophisticated efforts to gain access to networks unabashedly co-opt governmental imagery. The example here was directed to public companies subject to SEC reporting requirements, but for private companies, it could just as well be an ersatz communication from virtually any federal, state, or local governmental body.

Mistakes will be made, and other protections to block or evict intruders are certainly advisable, but the first line of defense is always human judgment. Train your management and employees to develop a healthy skepticism of email communications purporting to come from governmental bodies. Some steps that can be taken to avoid these types of scams:

  • Assess whether the communication is through normal channels.
    • The SEC/EDGAR do not normally send out personally addressed emails to specific corporate officials announcing changes to reporting forms.
    • Changes in reporting requirements are not summarily announced. They are widely distributed in the Federal Register and other means for discussion in the financial and accounting communities.
  • Assess the form and content of the email itself for any apparent flaws that suggest a scam.
    • Compare the display name and email address. The display name is what you see in the “From” field, but it may not be the email address of the sender. An impostor can literally put anything they want in the display name. (In Outlook, right click on the email address in the “From” field, then click “Open Outlook Properties” to see the display name and the email address. Other email applications have similar ways to determine the senders’ email address.)
    • Does the Subject “Important” look suspicious?
    • The body of the email lacked any meaningful information. Is that normal?
    • Most government emails will have a format with confidentiality, email preferences legends, contact instructions for follow-up, and similar legends or footers. Is this email out of the ordinary?
  • Look at all the mail servers the email passed through before delivery.
    • (In Outlook, open the email, click on the file pull-down menu, then properties, then internet header. In our example, if none of the mail servers appear to be from sec.gov, that’s a red flag.)
  • Establish a specific procedure to centralize responses to government announcements and inquiries.
  • Independently verify from the source whether the inquiry is legitimate.

Some of these steps may be inconclusive on whether an email is a malicious hacking attempt. It may be difficult to tell if the hacker sent it from their actual email address or if it was spoofed. If it was sent from a hacked email account, it would still look legitimate. We are dealing with sophisticated actors, and things are not always what they seem, so …

… if there is any doubt, don’t trust—and verify.

COVID-19 Updates

HeplerBroom LLC COVID-19 Response

HeplerBroom has been diligently working on its response and continuity plan to the COVID-19 pandemic in order to keep the health and safety of our employees, their families, and our clients as our top priority.

To help ensure everyone’s continued health and well-being, effective Tuesday, March 17, 2020, all attorneys and staff will be working remotely until March 31. This is an unprecedented and dynamic situation, and HeplerBroom is committed to observing governmental suggestions and requirements concerning public health while continuing to provide legal service second to none.

To ensure this, the firm has identified essential personnel in each office who will make certain that critical firm functions that cannot be done remotely continue to be handled. We have put in place protocol for those essential personnel to make sure they are keeping healthy per the CDC cleaning and sanitizing recommendations. All teams have back-up personnel and procedures that we will follow to make sure all deadlines are met and clients receive the same great service and work product that we have always been proud to provide.

HeplerBroom’s IT department has been working hard to make sure all remote employees are set up with equipment and access from home to limit disruption to our clients. Maintaining security and confidentiality has remained, and will continue to remain, at the forefront of all processes and procedures, at all levels throughout the firm.

The firm has created emergency communication measures to communicate any changes to this plan to employees and are communicating on a regular basis with any and all new resources and helpful information during this uncertain time.

During these fluid and unpredictable times, HeplerBroom will continue its commitment to great service and results for our clients, all while keeping safe and healthy.

Wishing you and your families good health.