Client Alerts

Beware the 10-K Ruse: Hackers Target SEC Reporting Companies

By: Frances Floriano Goins and Michael A. Marrero

About: Cybersecurity & Privacy

Employees of Securities and Exchange Commission (SEC) reporting companies are the targets of a new cyberattack. On March 8, the SEC issued a notice about malicious emails that appear to be sent by the SEC regarding changes to Form 10-K. Those emails often contain attachments with malicious code that can compromise the email recipient’s computer systems and information.

The SEC has made clear that it has not made recent changes to the Form 10-K and has not sent emails providing notification about any change. Although it is sometimes possible to identify a malicious email by looking at the sender’s email address, the sender for these malicious emails will appear to the recipient as “filings@sec.gov.” In other words, the email appears to come from an SEC email address.

FireEye, the cybersecurity firm that first described this attack, has identified 11 organizations that the attack has targeted. They are in the following sectors:


How to respond
Any SEC reporting company should consider itself a target and take the following actions: