Beware Spear Phishing Emails Sent to EDGAR Filers
Investment advisory firms, take note: If you receive, or have already received, what appears to be an email from the SECís EDGAR program, donít open the attachment in the message Ė it may be an attempt by a scammer to gain unauthorized entry to your computer or network.
The SEC recently issued a notice stating that it has become aware of reports of†"malicious emails" sent to EDGAR filers "that appear to be part of a phishing campaign to compromise company network systems and obtain access to non-public†information." The emails claim to be from the SEC about changes to Form 10-K and may contain an attachment that, if clicked upon, seeks to establish a "backdoor" to your computer and/or network. Although 10-K filings are typically filed by corporations, a similar approach, perhaps purporting to be about changes to Form ADV or other submissions, could be used to target advisers and other financial entities.
Spear phishing, according to ACA Aponix senior principal consultant Pascal Busnel, can best be defined as an email attempt by a scammer "whoís done a little bit of homework." While similar to an email blast, the email is targeted to specific individuals in specific positions at companies. For instance, for advisers, such messages may be directed to the chief compliance officer, the firm president or the portfolio manager.
This spear phishing attempt was discovered by†FireEye, a threat assessment company. Recipients might be misled by the "From" line of the email, which says "EDGAR filings@SEC.gov" with body text that†reads "Important changes on Form 10-K andInstructions," and an attachment named "Important_Changes_to_Form10_K.doc." "The attachment contains a malware-infected VBS script that installs a PowerShell backdoor that can be used to steal sensitive information from the infected machine," said ACA Compliance Group in an alert to clients.
FireEye, in a release, said that it identified the threat as likely being from a "financially motivated threat group" known as FIN7 that it said "selectively targets victims and uses spear phishing to distribute its malware." FireEye said that it made that determination with "high confidence . . . based on multiple identified overlaps in infrastructure and the use of similar tools, tactics, and procedures."
Eleven organizations that filed through EDGAR were identified as having received the spear phishing email, FireEye said. Among the firms were those in financial services, including insurance, investment, card services, and loans; transportation; retail; education; IT services; and electronics.
FireEye manager of market intelligence John Miller said the attacks were discovered while FireEye was conducting routine email checks for its clients. While he said FireEye was able to stop the attacks for the companies before they did any damage, the scammers most likely "were also going after other organizations other than those that we had visibility into." FireEye then contacted the SEC.
The agency itself was not compromised, Miller said. Rather, the scammers spoofed the SECís EDGAR email address. The SEC itself declined an opportunity to provide comment beyond what it said in its notice.
"Email is inherently insecure," Busnel said. "You cannot blindly trust any email you receive."
So whatís to be done? What precautions can recipients take to minimize the chances they open a spear phishing email and then open or click something that does damage to their computer, their network and/or their firm?
"Training and knowledge transfer are critical," said Eversheds Sutherland attorney Mark Thibodeaux. "Teach employees and yourself how to recognize spear phishing attacks and then test that knowledge. With more and more information about everyone on the Internet, itís increasingly easy for anyone to get specific information about you or anyone else that they can use to personalize spear phishing."
Consider these best practices in your training of†employees to prevent successful spear phishing attempts:
Check out the "from" line. This is your first and most obvious line of defense. Donít open an email without first seeing who it is from. "It could be unfamiliar or phony," Busnel said. Sometimes the name at the†beginning of the "from" line might be familiar, such as the name of a bank, but the latter part of the email may not seem right. If that happens, donít open the email Ė alert your IT department, designated person to handle IT security, or your firmís chief compliance officer. Some scammers, such as the one in the SEC spear phishing attempt, manage to use real email†addresses, so this is far from a foolproof method. Thatís why the next steps are important
Check out the "reply to" address. If that "from" line looks familiar, see if the "reply to" address does. But Ė and this is very important Ė do not open any attachments or click on any links contained in the email. What you want to see in the "reply to" address is whether it is authentic, or whether it looks odd. As with a suspicious "from" line, if the address raises suspicions, alert your IT department, designated IT security person, or CCO. Some scammers are sophisticated enough that they manage to create a credible "reply to" address, and if that is the case, you might not notice a problem, said Busnel. But you can eliminate quite a few spear phishing attempts simply by checking.
Cast a wary eye toward attachments or links. Anytime you receive an email from an unknown source, "it should raise eyebrows," said Busnel. It may contain malware or other harmful programs. The solution: "Call the sender of the attachment to see if he or she sent it, or if you receive a link, go to the URL address yourself, rather than use the link," he said. Thibodeaux suggested watching out for links to financial service sites that may state, "Weíve†noticed some suspicious activity on your site," or that seeks personal information, and then provides a link to click. "Type it in the browser yourself."
Donít fall for "urgent" messages. The SEC, in its publication, "Phishing" Fraud: How to Avoid Getting Fried by Phony Phishermen, notes that "many fraudsters use fear to trigger a response, and phishers are no different. In common phishing scams, the emails warn that failure to respond will result in you no longer having access to your account. Other emails might claim that the company has detected suspicious†activity in your account or that it is implementing new privacy software or identity theft solutions."
Disable those macros. "Make sure that any macros for Microsoft Office Suite are disabled by default," Busnel said. Macros, which are embedded codes, could allow code sent to MS Office to open automatically. Once you disable the macros, your computer, before opening the program, should ask you if you want to open it. This allows you an opportunity to first run the program by IT.
Read your statements. The SEC suggests that firms not toss their monthly account statements. "Read them thoroughly as soon as they arrive to make sure that all transactions shown are ones that you actually made, and check to see whether all of the transactions that you thought you made appear as well. Be sure that the company has current contact information for you, including your mailing address and email address."
Speak up. If you receive a spam email, itís not enough to simply know not to open it and delete it. "Do not keep it to yourself because you assume that someone else in your firm who received the same email will alert the powers that be," Busnel said. "Seek out your IT team, designated IT security person, or your CCO and let them know."
Limit the damage. Do all you can to prevent opened malware that arrives via spear phishing from spreading from computer to computer or from system to system throughout your firm. One inexpensive way to do this is simply making sure every system in your electronic environment has the latest patches and that they run the latest anti-virus software, said Busnel. "They may catch any problems before they do real damage."
Donít accept emails from external servers. "Create a rule in the email environment that prevents an email that appears to be from an employee but is sent from an external email server," Busnel said. By limiting external email acceptance to only those that come through your firmís server, to which employees know the user name and password, you minimize the risk of a successful spear phishing attack.
Donít be reluctant to tap your IT team. Whenever your firm receives an email that raises suspicions, "take the time to forward it to your firmís IT people for a thumbs up or a thumbs down," Busnel said. That is one of the reasons the IT team is there, and failure to do so may leave your firm susceptible to malware.