SEC “Pretexting” Phishing Impersonation Campaign

On June 27, 2025, InvestmentNews reported that a phishing campaign is targeting financial advisors with emails impersonating the SEC’s Chief Information Officer, David Bottom. The messages mimic the “sec.gov” domain by appending “virumail.com” and ask recipients to confirm their email address, a seemingly harmless request that is actually a pretext for a more dangerous follow up. The SEC has confirmed it is aware of the campaign and that registrants are in the crosshairs.

GiGCXOs warns that the safest response is to avoid clicking, replying, or engaging in any way, and instead verify communications with the SEC through trusted, official channels. The attack works because of authority bias and the mere appearance of an email from the SEC’s CIO can lower defenses. It also uses a benign initial request that seems safe, luring recipients into a false sense of security. Spoofed domains are another factor, as many can slip past casual inspection.

For registered investment advisers and broker-dealers, the immediate step is to treat any message requesting confirmation of contact information with suspicion, especially if it references the SEC or another regulator. Firms should quarantine and report the messages, and confirm authenticity through official SEC contacts rather than the email address provided. Cybersecurity controls must be hardened: blocking known look-alike domains, enforcing DMARC, DKIM, and SPF policies, mandating multifactor authentication, restricting privileged access, and running phishing drills that specifically include regulator impersonation scenarios. Every step, from alerts to remediation, should be documented in anticipation of exams or incident reviews.

GiGCXOs offers a suite of solutions designed to prevent firms from becoming headlines. Cyber Guard 360 delivers phishing simulations, role-based security training, and regulator-spoofing playbooks with clear targets for detection and response times. Comm Safe 360 captures and archives all electronic communications, allowing firms to quickly search, isolate, and trace suspicious messages across email, text, and collaboration platforms. Firm Guard 360 provides the documentation and oversight needed to prove compliance with supervisory control requirements, packaging policies, training records, and incident histories into exam ready files.

A regulator impersonation playbook can be executed in minutes. First, detect suspicious activity when a user or security operations center flags an SEC-themed message, then automatically generate a ticket and quarantine it. Next, confirm spoofing indicators by examining headers and reply to addresses. Contain the threat by blocking the domain, recalling forwards, and isolating affected endpoints. Eradication follows, with updated filters, new indicators of compromise fed into monitoring tools, and targeted retraining for any employee who engaged. Recovery includes sending an advisory across the firm with instructions on verifying genuine SEC communications. Finally, report and retain all evidence, documenting the incident for regulators.

This latest phishing campaign is a reminder of how a simple pretext can open the door to reputational damage and regulatory scrutiny. Firms unable to detect, verify, and document within minutes leave themselves exposed. GiGCXOs helps turn these risks into teachable moments by embedding repeatable processes through Cyber Guard 360, Comm Safe 360, and Firm Guard 360. A suspicious email should become nothing more than a training screenshot rather than a front page story. The firm is encouraging advisers to take advantage of a rapid, 15 point phishing resilience check that can map gaps to an action plan in under an hour. Email us today.

Sources: InvestmentNews coverage and ACA Group alert on the SEC-impersonation phishing campaign (June 25–27, 2025). (InvestmentNews, ACA Group, Wealth Management)