Hackers and Insider Trading Remain a Threat to SEC
It was more than a year ago that the U.S. Securities and Exchange Commission (SEC) cracked down on a group of hackers and traders who obtained confidential, non-public information about publicly traded companies by hacking websites for press releases. A recently released report by a cybersecurity company suggests that such insider trading continues, although this time with data obtained through phishing from personnel at publicly traded companies who typically file reports to investors with the SEC.
The FireEye report details a scheme in February to obtain confidential corporate information by spoofing an email purportedly from the SEC’s EDGAR filing service. When the email recipient clicked on instructions inside the attached Microsoft Word file, they unwittingly granted access to the internal corporate networks of the company.
Because the scam appeared to come from a legitimate sec.gov email address, FireEye indicates several corporate executives were fooled.
Law firms have also been targets for cybercriminals looking to trade on inside information. In December, the Government brought charges against three Chinese citizens that hacked top U.S. mergers and acquisitions lawyers to obtain information about deals and profit from buying shares.
This is prime territory for the SEC whistleblower program. A person at a hacked company that turns over critical information about the scam to the SEC which allows them to stop the illicit trading could be entitled to a reward. Individuals that work for the companies trading based on the confidential and illegally obtained information could also put together the evidence to report the trades to the SEC.
Large Rewards for SEC Whistleblowers
In the 2015 case, one of the participants settled with the SEC for $30 million. With rewards of between 10 and 30 percent of the recovery, this enforcement action alone could have brought a whistleblower $3 to $9 million.
The potential disruption of the market by participants trading on hacked information is tremendous. It poses a definite threat to the integrity of the market and therefore we expect such information to be taken seriously by the SEC when received from a credible whistleblower.
Indeed, the SEC has recognized this problem and made cybersecurity compliance a top priority for its compliance examinations of broker-dealers and other market participants. It is unlikely to take a different approach in its pursuit of enforcement actions.
Spoofing the SEC
There have been instances where entities have posed as the U.S. Securities and Exchange Commission (SEC) to trick investors and the general public. This can be a form of spoofing where malicious actors use the SEC’s name and reputation to make their communications appear more legitimate.
- Email Spoofing: Fraudsters might send emails that appear to be from the SEC, complete with official-looking logos and signature lines. These emails may promise the recipient access to information about investment opportunities or even promise financial gains. They might contain links to malicious websites or include attachments containing malware.
- Website Spoofing: There have been cases where fraudulent websites were created to mimic the official SEC site. These sites may have similar web addresses, design, and layouts to trick users into thinking they are on the SEC’s official site.
- Caller ID Spoofing: Fraudsters can also spoof the SEC’s phone numbers to make it appear as if the call is coming from the SEC. The caller might claim to be an SEC official and may try to convince the target to reveal sensitive information or send money.
It’s important to note that the SEC does not endorse investment offers, assist in the purchase or sale of securities, or participate in money transfers. Any communication claiming such is likely a spoofing attempt. As a rule of thumb, any suspicious communication claiming to be from the SEC should be reported to the agency’s Office of Inspector General (OIG).