Phishing Campaign Taking Advantage of Annual Form ADV Update

Each year, registered investment advisers (RIAs) must file an annual updating amendment to their Form ADV with the U.S. Securities and Exchange Commission (SEC) by March 31st using the Investment Adviser Registration Depository (IARD). This year, cybercriminals are taking advantage of advisers by posing as regulators to persuade them to divulge information that could potentially be used in future cyber-attacks. Recent phishing attempts are being sent from a fake Financial Industry Regulatory Authority (FINRA) address, telling advisers they must complete a data request as soon as possible or their investment adviser registration “will be considered inactive.”  

How to spot the phishing attempt 

Although FINRA runs IARD, they will not reach out to firms about any issues with an adviser’s registration, and therefore these emails should immediately be considered suspicious. The SEC would send any notifications about an adviser’s registration to the contacts listed on the Form ADV.  

These requests also include other obvious signs of phishing, including an urgent call to action, an unexpected attachment, and a mismatched email domain (e.g.: finrarps.org).  

Our guidance 

Investment advisers can check whether there are any legitimate issues with their latest Form ADV amendment by accessing their IARD account. Firms should increase their due diligence when reviewing emails and requests in the coming weeks to mitigate potential phishing attempts. 

If an employee receives a suspicious email from a domain they suspect may be masquerading as a regulator, we recommend the following actions: 

1. Do not click any links in the email or open any attachments. Immediately escalate the issue to the firm’s IT team. 
2. Confirm the validity of the email by calling the regulator to confirm whether the request is legitimate, using the phone number at the regulator’s website and alert them to the fraud. 
3. Reach out to trusted cyber advisers and alert them to the fraud.  
4. Alert all employees of ongoing phishing attempts, educating them on what to look for (e.g., legitimate domains), who they should reach out to internally, and how to safely dispose of the email (e.g., reporting to IT and/or holding SHIFT + Delete).  

Ongoing phishing awareness

It is crucial to educate employees about the dangers of phishing attempts, as well as the precautions they ought to take: 

• Never trust the “From” field in an email 
• Do not download attachments from an unsolicited source 
• Be cautious of alarmist email subject lines (e.g., “urgent”, “transfer”, “request”, etc.) 
• Create bookmarks for frequently visited websites to avoid visiting fake websites 
• Contact the IT department when in doubt of unknown and suspicious links 
• Validate email requests with callbacks to a contact you have on file, or visit a legitimate website to find a callback number 

For more guidance on impersonated domains, click here to read our advice.

How we help 

Our cybersecurity and risk services can help you strengthen your line of defense against phishing attacks and other destructive cybercrime tactics. 

• Aponix Protect™ builds a comprehensive cybersecurity and technology risk management program tailored to your business needs 
• Business impact analysis and business continuity plans complete with robust policies, plans, and procedures, better protect your organization from data breaches and efficiently recover from a cyber incident or significant business disruption 
• Staff training and threat monitoring educate your team on industry best practices, cyber trends, and emerging threats 
• Vulnerability and penetration testing reduce the risk of financial, operational, and reputational losses that can result from a breach 

For questions about this alert, or to find out how we can help you mitigate your firm's risk, please reach out to your ACA consultant or contact us.