By Janaya Moscony
SEC³ President
July 30, 2025 | SEC³ Compliance

 

At SEC³ Compliance, we’re tracking a phishing campaign impersonating the SEC to target smaller firms. Since June 23, 2025, several SEC‑registered investment advisers, small hedge funds, and private equity firms have received phishing emails claiming to be from David Bottom, the SEC’s Chief Information Officer. The sender’s email includes sec.gov.virumail.com — immediately a red flag, as virumail.com is not part of the SEC’s infrastructure.

The message requests recipients reply to confirm their email address—an innocuous ask meant to build trust or verify an active account, paving the way for subsequent, more dangerous communications.

Scam technique — Pretexting phishing
This technique is classic “pretexting”: the scammer pretends to need a legitimate action (replying to confirm email) to set the stage for harmful follow-up messages—like fake secure-file links or attachments containing malware/ransomware. Once firms respond, attackers can escalate the attack. SEC3 has seen similar methods used in previous attacks targeting finance firms.

Why this is serious

• Small firms, big vulnerability. Initial reports indicate that victims appear to be RIAs with <$1 billion in AUM and fewer than 10 employees, which might lack robust cybersecurity defenses.
• Regulatory credibility exploited. By impersonating an SEC official, scammers increase the chance they’ll be taken seriously and responded to.
• Potential damage. After confirmation, attackers may push malicious links or attachments, leading to malware infections or credential theft.

Keep in mind

• The SEC has reiterated it will never ask for confirmation of personal data, account details, PINs, or passwords by email or phone.
• They do not send enforcement-related communications asking for money outside formal proceedings.
• If you receive suspicious SEC-related messages, do not respond—report them to:
  • SEC Office of Inspector General: call (833) SEC‑OIG1, or email through sec.gov.
  • Division of Examinations’ Cybersecurity Program (in contact with FINRA’s cyber unit)

SEC³ Compliance can assist in reporting or documenting any phishing incidents.

What should you do (or not do)?

• Do not click links or open attachments from these emails.
• Never reply—report them to your IT/security team.
• Always verify legitimacy by contacting the SEC through official channels (e.g., phone number on sec.gov).
• Treat any alarming subject lines with suspicion.

SEC³ can help your team develop internal incident response protocols.

Best practices for defense:

1. Scrutinize sender addresses: Look beyond display names—“.virumail.com” after sec.gov is a tell.
2. Verify via trusted channels: Use official contact info from SEC website—not the email you received.
3. Train staff routinely: Teach detection of pretexted phishing and spoofed branding.
4. Implement tech controls: Email filtering, multi-factor authentication, and incident response processes.
5. Report suspicious activity: To SEC’s OIG and FINRA’s Cyber Unit. Even if no data was lost, the effort helps regulators track patterns.

Bottom line

This phishing campaign is designed to gain trust through pretext, using social engineering and spoofing to prime advisors for deeper attacks. Awareness, cautious email habits, and vigilant reporting are essential. Firms should treat any email claiming to be from the SEC—especially from David Bottom or using virumail.com—with immediate suspicion.

How SEC³ Compliance Can Help
SEC³ Compliance can assist by:

• Providing employee security training to educate staff on industry best practices
• Developing internal incident response protocols
• Recommending quality cyber firms to assist with emerging threats, provide phishing testing as well as penetration testing and vulnerability assessments.

Get in touch with an SEC³ Compliance team member today. Contact us at SEC³ Compliance today.

Need assistance with your compliance program? SEC’s team of experienced compliance professionals can help. For more information, please email us at info@sec3compliance.com, call (212) 706-4029 x 214, or visit our website at www.sec3compliance.com.

SEC3 provides links to other publicly available legal and compliance websites for your convenience. These links have been selected because we believe they provide valuable information and guidance. The information in this e-newsletter is for general guidance only. It does not constitute the provision of legal advice, tax advice, accounting services, or professional consulting of any kind.

Photo by Moritz Kindler on Unsplash