Beware the 10-K Ruse: Hackers Target SEC Reporting Companies

Ulmer Client Alert
Topic:
Data Privacy & Information Security
By: Frances Floriano Goins, Michael A. Marrero, and Gregory P. Stein

Employees of Securities and Exchange Commission (SEC) reporting companies are the targets of a new cyberattack. On March 8, the SEC issued a notice about malicious emails that appear to be sent by the SEC regarding changes to Form 10-K. Those emails often contain attachments with malicious code that can compromise the email recipient’s computer systems and information.

The SEC has made clear that it has not made recent changes to the Form 10-K and has not sent emails providing notification about any change. Although it is sometimes possible to identify a malicious email by looking at the sender’s email address, the sender for these malicious emails will appear to the recipient as “filings@sec.gov.” In other words, the email appears to come from an SEC email address.

FireEye, the cybersecurity firm that first described this attack, has identified 11 organizations that the attack has targeted. They are in the following sectors:

  • Financial services
  • Transportation
  • Retail
  • Education
  • IT services
  • Electronics


How to respond
Any SEC reporting company should consider itself a target and take the following actions:

  • Notify lawyers and executives who are involved with SEC filings about the malicious emails spoofing the SEC’s email address and the need to be vigilant about fake emails that relate to changes to the Form 10-K. If there is any doubt about the authenticity of an SEC email, email recipients should contact their IT departments or IT consultants prior to opening attachments or clicking on links.
  • Contact the IT department or your IT consultant to find out if these types of emails have been received or blocked or could be blocked in the future.
  • If the company suspects that any employee may have clicked on a link or attachment in any suspicious email, in accordance with its incident response plan, the company’s incident response team should investigate whether its systems have been compromised.
  • Use this example as part of general employee training to make users more knowledgeable about phishing (i.e., emails sent by criminals that appear to be from a trusted party) so that they become less susceptible to attacks.