As of June 24, 2025, ACA became aware of an active phishing campaign targeting SEC-registered financial services firms and advisers. While the scope of the phishing campaign is not yet known, multiple ACA clients have reported receiving messages purported to be from the SEC all firms should be on high alert for suspicious or unexpected messages claiming to be from the regulator.
Phishing Email Examples
While there is some variation in the text of the emails, the messages have a few common elements, including:
- The sender’s email address includes “virumail[.]com” after “sec.gov.” Virumail is not a legitimate or secure file transfer service, and it is commonly used in phishing attacks to spoof legitimate email addresses. Legitimate messages from the SEC do not include this in the email address.
- All messages claim to be from David Bottom, the Chief Information Officer at the SEC, though some messages truncate his last name.
- The messages ask the recipient to reply and confirm their email address to enable future secure communications. This is a common form of “pretexting” that is used in phishing scams to verify active contacts and build trust in future interactions. Since this message was benign, the recipient is more likely to interact with the next message, which will likely redirect to a harmful site, trick them into downloading malware, or result in some other harm.
A sample message is included below:
Immediate Action Needed
Firms should ensure their employees are made aware of the threat as soon as possible and are ready to react appropriately.
If an employee receives an unexpected email, like the sample email above, they should:
- Not click any links in the email or open any attachments. Immediately escalate the issue to the firm’s IT team.
- Not respond to or reply to the email.
- Confirm the validity of the email by contacting a trusted SEC representative using verified contact information. Do not use the details provided in the suspicious email—instead refer to contact information listed on the SEC’s website or from another reliable source your firm already uses.
- Reach out to trusted cyber advisors to alert them of the issue and seek further guidance.
- Never trust the “From” field in an email. Always check the email address itself and don’t rely on the sender’s name alone.
- Do not download attachments from an unsolicited source.
- Be cautious of alarmist email subject lines (e.g., “urgent”, “transfer”, “request”, etc.).
- Create bookmarks for frequently visited websites to avoid visiting fake websites.
- Contact the IT department when in doubt about unknown and suspicious emails or links.
- Validate email requests with callbacks to a contact you have on file or visit a legitimate website to find a callback number.
The SEC provides additional information for dealing with a suspicious emails, phone calls, voicemails, and letters in their Investor Alert here.
If your firm needs help navigating current cybersecurity risks, we’re here to help.
Explore Our Solutions
ACA Aponix® provides cybersecurity services to help organizations defend against cyber threats such as phishing, including:
- Employee security training to educate all staff on industry best practices, cyber trends, and emerging threats.
- Phishing testing to deploy a targeted email campaign to test employees’ ability to identify and handle phishing threats.
- Penetration testing and vulnerability assessments to identify network vulnerabilities that can help reduce the risk of a breach and associated financial, operational, and reputational losses.
Learn more about additional cybersecurity solutions here.
For questions about this phishing campaign, or to find out how we can help you protect your firm, please reach out to your trusted cyber advisor.