Cybersecurity Training:

Safeguarding our firm and client assets

1
 Identity Theft is Everyone’s Problem

Identity theft is the Someone’s identity The average On average it

fastest growing is stolen every loss per identity takes 600 hours
crime in America. 2-3 seconds. theft incident to recover from
is $4,930. identity theft.

Source: Trans Union Website, Source: https://identity.utexas. Source: U.S. Department of Justice, Source: The Identity Theft Resource
January 14, 2015 edu/id-perspectives/top-10-myths- Javelin Strategy & Research Center website, April 28, 2015
about-identity-theft

2
It’s Not a Matter of If, but When…

13.1 million 63% Over 95%

people experienced of confirmed data of all security
identity theft in 2015. breaches involved incidents investigated
weak, default, or recognized
stolen passwords. ‘human error’ as a
contributing factor.

Source: Javelin 2016 Identity Fraud Study Source: Verizon 2016 Data Breach Source: IBM Security Services 2014 Cyber
Investigations Report Security Intelligence Index

3
Training Topics
 Identify common cyber threats
 Identify how cybercriminals use stolen data
−Case Studies
 Protect client data
−Charles Schwab protections
−Best practices for protecting client data
−Myths and truths
 Respond to a data breach
 Resources

4
Common Cyber Threats

5
Common Cyber Threats

1 Email Account Takeover 5 Social Engineering

2 Malware 6 Call Forwarding

3 Phishing 7 Spoofing

4 Credential Replay

6
Email Account Takeover
What is it?
A cybercriminal hacks an email account and searches for emails involving correspondence between the
client and their financial institutions. Their goal is to learn about the victim and their habits so they can
pose as the victim to steal money.
What does it look like?
Our client’s email is hacked and the cybercriminal poses as the client. He/she emails our firm with
instructions to forward funds to an account.
How does it happen?
Cybercriminals find vulnerabilities within service providers’ servers or personal users’ IP addresses to
gain access to login credentials, or to the email account directly.
What’s the impact?
Because the cybercriminal has access to our client’s email and can impersonate him/her, you are likely
to believe the correspondence came from the client. The cybercriminal may provide instructions within
the email to transfer funds to a fraudulent account. Without proper verification, the money could be
transferred and stolen. In the end, our firm may be held responsible for any client losses if we did not
appropriately authenticate the client.
How can you defend against it?
 Do not act on email-based requests for sensitive information, money movements, or trading.
Directly verify all requests with the clients and ask questions.
 Follow proper identification/verification processes. Use secret passwords, phone call
verifications, and video chats to help verify the client’s identity.

7
Malware
How does it work?
Malicious software is created to damage/disable computers and computer systems, steal
data, or gain unauthorized access to networks.
What does it look like?
Examples of malware include viruses, worms, Trojan horses, ransomware, and spyware.
How does it happen?
Malware may be installed on a computer when a user clicks an unsafe link, opens an
infected file, or visits a legitimate website that could contain adware.
What’s the impact?
Malware can delete files or directory information, or it may allow attackers to covertly gather
personal data, including financial information and usernames and passwords.
How can you defend against it?
 Do not click on suspicious links.
 Don’t open attachments or click on URLs in unsolicited emails, even from those you know
 Do not open or download any programs, software, files, etc. without prior review/approval by
designated staff.
 Do not insert any USB that you’ve received from an unknown/unreliable source.

8
Phishing 70% of cyberattacks use a combination
of phishing and hacking

Source: Verizon 2015 Data Breach Investigations Report

What is it?
Cybercriminals pretend to be a trustworthy source in order to acquire sensitive personal
information such as usernames, passwords, social security numbers, and credit card details.
What does it look like?
An email, phone call or text message from a seemingly legitimate email address or number
instructs you to click on a link to take action (e.g., “validate your account,” “confirm your identity,”
“access your tax refund”). The link brings you to a website requiring you to enter your personal
information.
How does it happen?
Because the cybercriminal masquerades as a legitimate source (e.g., financial institution
employee, client, realtor, banker), you believe the request is from a trusted source and you
unwittingly oblige when they ask you for your personal information.
What’s the impact?
Victims of phishing may have malware installed on their computer systems or have their identity
stolen.
How can you defend against it?
 Hover over questionable links to reveal the true destination before clicking.
 Beware of cloned websites that may appear to be legitimate. Note that secure websites start
with https, not http.
 Alert (insert name) immediately upon receiving suspicious email

9
Credential Replay
What is it?
Most people re-use passwords and usernames (aka ‘credentials’). Cybercriminals obtain these
login credentials, test them in large numbers against financial institutions' websites to find
matches, and then request fraudulent fund transfers. Alternatively, they may resell this
information to other cybercriminals to make a profit. Those cybercriminals may then use this
information to commit fraud.
What does it look like?
Cybercriminals hope to access a few accounts by using a large cache of stolen login credentials
to access a firm’s online accounts.
How does it happen?
If the cybercriminal is not stealing these credentials themselves, they can easily purchase large
numbers of stolen login credentials from the dark web. These large volumes of credentials
typically come from data breaches (e.g. Yahoo, Verizon, LinkedIn, etc.).
What’s the impact?
Our client’s account is compromised, and the cybercriminal can quickly re-use their credentials to
access other accounts, and steal additional funds and confidential data before detection.
How can you defend against it?
 Help to educate our clients to use a unique password for each account to prevent a quick and
invasive attack on all of your accounts.
 Make each password unique and long and strong. Use at least 8-12 characters, upper- and
lowercase letters, and symbols.
 Use dual factor authentication methods (e.g. tokens)
10
Social Engineering
What is it?
This involves the psychological manipulation of people in order to establish a level of trust that
leads to the individual taking action (e.g. divulging sensitive and private information, initiating
funds disbursement request, etc.). The most common form is “phishing”. In this scenario, our
clients’ credentials are obtained from outside sources (i.e. the dark web).
What does it look like?
A cybercriminal befriends one of our clients and builds trust over time, until they are able to solicit
sensitive information from them. That information can then be used to commit fraud.
How does it happen?
Often cyber criminals contact victims by phone, email, or through social media.
What’s the impact?
The criminal commits fraud, steals our client’s money, and then they disappear.
How can you defend against it?
 Educate our clients about the information they choose to share on social media, keeping their
personal information private (such as home address, phone number, employer, vacation dates,
and birthdate).

11
Call Forwarding
What is it?
The cybercriminal has arranged, either through the phone company or a compromised phone,
for all calls to our client’s home and/or cell phone number to be forwarded to their phone.
What does it look like?
A cybercriminal gets the phone company to forward our client’s cell number to their cell phone
so they can impersonate our client when we, or any other financial institution our client conducts
business with, calls them back for verification before transferring funds or opening accounts.
How does it happen?
Cybercriminals scam the phone company into forwarding phone calls. They may also use
scanners, eavesdrop, clone our client’s phone identity, and sell bogus ringtones or other
gadgets to access our client’s phone.
What’s the impact?
Your phone is compromised, your conversations may be accessed, and your identity may
be stolen. In the end, our client’s assets may be stolen because the fraudster requested and
authorized a transaction.
How can you defend against it?
 Follow proper identification verification processes. Consider using secret passwords to help
verify the identity of people you're corresponding with.
 Educate our clients to be aware of whether or not they are receiving calls from their financial
institutions in cases where they would expect to receive one (e.g. wire/check requests)

12
Spoofing
What is it?
Masking the source of a communication (phone or email) to look like a reputable source
(e.g. government, call within a company, etc.).
What does it look like?
We receive an email from a cybercriminal who impersonates one of our clients and confirms
a fraudulent wire transfer request.
How does it happen?
There are easy tools available to cybercriminals that help to mask the source/sender. For
example, the cybercriminal can create an email address nearly identical to our client’s email
address (i.e., off by a character), so that, at-a-glance, the email address appears legitimate.
The cybercriminal is relying on our lack of attention to detail in order to commit the fraud.
What’s the impact?
Similar to the other cyberattacks we’ve discussed, our client’s money is stolen, and they become
the victim of fraud and/or identity theft.
How can you defend against it?
 Carefully check the incoming emails for the proper email address and the accuracy of the
spelling of the sender’s name. Hover over the sender’s name to see the underlying email
address matches what you have on file for our client.
 If an email or phone call are questionable, contact the sender directly, using the email
address or phone number you have on file for that individual.

13
How Cybercriminals Use
Stolen Data

Identity fraud is a serious issue. Fraudsters

have stolen $112 billion in the past six years,
equating to $35,600 stolen per minute
14 Source: 2016 Javelin Strategy & Research, Survey Report Results
How Cybercriminals use Stolen Data

Cybercriminals are constantly trying

to steal data and identities:

Personal Data Stolen Resulting Crimes

• Social Security numbers • Fraudulent Transactions
• Usernames – trading
– electronic funds or wire transfers
• Date of birth
– account opening
• Passwords
• Credit card numbers • Identity Theft
• Account numbers – using stolen Social Security numbers
• Employment information for employment or other gain
– filing a false tax return
• Checks
– impersonating another person

15
Case Study #1
New Apartment

The “apartment manager”

was not known to the realtor
or associated with the
apartment complex. After
she received the funds in
Daughter asked dad her account, she forwarded
to wire money to the them to the fraudster. She
apartment manager was scammed to acting
she was provided as a “mule” as part of a
by the realtor for romance scheme.
Fraudster intercepts email the security deposit.
communication of a client’s Dad initiates wire.
21 year old daughter and
the realtor she is using to
rent an apartment at college.

Example provided for illustrative purposes only.

16
Case Study #1
New Apartment

Red Flag Review

1. Daughter was told she could not see the apartment until the security
deposit was received.
2. No one called the apartment complex directly to verify the wire.
3. The client was responsible for the loss since the advisor and Schwab
sought written and verbal confirmation. Loss to the client $3,500.00.

17
Case Study #2
Wiring Funds on Margin

Margin is added to the

account, followed a few
days later by an emailed
wire request for $380,000
to a hospitality company.
Fraudster submits
margin form via email
to advisor.

Fraudster speaks to advisor

about adding margin and
transmitting a wire request.

Example provided for illustrative purposes only.

18
 Case Study #2
Wiring Funds on Margin

Red Flag Review

1. Margin request on elderly account
2. Unknown Recipient
3. Unavailable by Phone due to being at a funeral
4. Request received via email

19
Case Study #3
Purchasing a Piece of Art

Review of IP addresses
revealed a South Africa
location. The check
payee was a money
mule trafficking funds
Fraudster intercepts email to a recipient located
instructions, requesting a in South Africa.
different check for an art
purchase.

Client contacts advisor via

email to initiate an IRA
distribution.

Example provided for illustrative purposes only.

20
Case Study #3
Purchasing a Piece of Art

Red Flag Review

1. A third party distribution via overnight check was outside of the typical
disbursement behavior of the client
2. The advisor noted that during the verification call for the first disbursement
the caller’s voice seemed “scratchy” and “distant”
3. Disbursement request was received via email

21
Case Study #4
Buying a New Property

The Advisor called the

client at a known number
but didn’t go through the
details of the wire.

The fraudster monitored

the client’s emails in the
string to provide wire
instructions.

Advisor had been talking

to the client about buying
a new property for several
months.

Example provided for illustrative purposes only.

22
 Case Study #4
Buying a New Property

Red Flag Review

1. The destination was not a known Title Company
2. The clients computer has been compromised and the disbursement was
received via email

23
Case Study #5
Impersonator Intercepting a Call

Later determined that the

fraudster was redirecting
calls to the client’s home
phone number and using
account takeover to access
Additional wires submitted the funds.
online. Verbal confirmation
with client completed, each
call originating from client’s
home phone number.
Fraudster speaks calls
Schwab impersonating
client. Requests email
update and wire.

Example provided for illustrative purposes only.

24
 Case Study #5
Impersonator Intercepting a Call

Red Flag Review

1. Recent email address and online account password reset, followed by
multiple wire requests
2. Third party wire to the nephew
3. The request was to be expedited
4. Atypical disbursement behavior of the client
5. Loss $50,000 covered under Schwab Guarantee

25
How We Protect Our Firm
and Client Data

26
Charles Schwab Protections

 Schwab’s internal Information Security Program

 Internal controls and training
 Advanced Technology
 Advanced encryption technology
 Scans for suspicious behavior
 Schwab Mobile App
 The Schwab Security Guarantee
 Information Security Controls
 Passwords
 Schwab Security Tokens
 Biometric identity verification through Voice ID

27
Security is everyone’s
responsibility

28
Your Role and Responsibility in Protecting
Our Firm and Client Data

Be strategic with
Safeguard email
usernames and
accounts
passwords

Limit what you

Surf safely
share online

Protect our
clients’ assets

29
Be Strategic With Credentials

Do Don’t
 Create passwords that are long and  Use information that can be easily
strong, using at least 8-12 characters, found about you online or otherwise.
upper- and lowercase letters, numbers,
 Share passwords with others.
and symbols.
 Store your passwords online.
 Change your password often. (General
rule of thumb: Change passwords every  Use any part of your Social Security
90 days.) Number, birth date, or other personal
data when creating passwords.

30
Surf Safely

Do Don’t
 Use wireless networks you trust and  Use public computers to access
know are protected. confidential information or accounts,
or to perform financial transactions.
 Be cautious when using public
computers.  Click on websites you don’t know or
 Ensure you are downloading legitimate
on pop-up ads or banners.
apps from trusted publishers.  Click on links or attachments from
 Be aware that secure websites start with unknown sources.
https, not http.
 Be sure to log out completely (which
terminates access) when exiting all
websites to prevent cybercriminals from
obtaining your personal information.
 Hover over questionable links to reveal
the true destination before clicking.

31
Protect Our Clients’ Assets

Do Don’t
 Be aware of suspicious phone calls, emails  Take shortcuts or veer from firm
and texts requesting access/changes to policies and procedures.
personal identifiable information, funds
 Respond to requests for personal
disbursement requests, etc. Be sure to
validate that the source number or email information from an unsolicited email or
matches what we have on file for the client. from an unsolicited incoming phone call.
 Follow firm client verification and  Do not act on email-based requests for
authentication protocols – no exceptions. sensitive information, money movements,
or trading.
 Educate our clients:
− on our client authentication policies and
procedures so they know what to expect
− to review credit card, cell phone and
financial statements on a regular basis.
− to contact their financial institutions or
services providers as soon as they
suspect something suspicious.

32
Limit What You Share Online

Do Don’t
 Ensure that any firm and/or client  Do not share any firm or client
information that you are entering online information on any unauthorized site.
is with an individual or vendor/third-party
 Do not talk about our clients on social
authorized by the firm.
media.
 Educate our clients:
 Do not post personal information about
− to be very selective about the family, friends, clients, co-workers online.
information they choose to share on
social media and with whom they  Do not share information that could
choose to share it. help a fraudster gain access to
accounts or impersonate the client.
− to keep their personal information
private (home address, phone number,
and birthdate).
− to set privacy and security settings on
web services and devices to your
comfort level for sharing.

33
Be Aware of and Report Suspicious Emails

Do Don’t
 Exercise caution when reviewing  Do not click on attachment, links or
unsolicited email. pop-up ads in unsolicited emails, as
these links may pass on viruses.
 Review sender information to ensure
the name was not spoofed.
 Review the grammar and sentence
structure of emails to identify potential
red flags.
 Cautiously evaluate the risk versus
convenience of transferring confidential
information by email.

34
Security Myths and Truths…
Myth #1 Myth #2

Protecting firm and client data is I consider myself highly

the responsibility of Technology knowledgeable about information
and Compliance. security – if there’s a data incident
it won’t be because of me.

Securing information is everyone’s Thinking you are immune to an attack

business. may lead to a false sense of security.
Best practice Best practice
 Follow firm policies and procedures  Stay vigilant and maintain a mindset of
designed to protect the firm, our clients being alert to the various threats that our
and you. firm faces.
 Be attentive – report suspicious emails,
appropriately discard/file paperwork
containing confidential information, use
discretion when discussing confidential
information outside of the office.

35
Security Myths and Truths…
Myth #3 Myth #4

Someone else has already reported Keeping firm and client information
the strange-looking email I just on my desk is safe – I don’t need to
received. lock it away.

Don’t assume your colleagues received Paperwork that is not safely put
the same suspicious email or someone away can be vulnerable to snooping
has already reported it. and data theft.
Best practice Best practice
 You are our first line of defense…  Lock/file all paperwork containing
“If you see something, say something” firm and client information each time
you are away from your desk.

36
Additional security practices
and behaviors

37
Authenticate

Verbally verify all details of electronic disbursements, at a minimum, with our clients
before submitting to Schwab. The verification call is the #1 most effective
method to detect and preview third party fraud – take it seriously.
Discuss the details of the disbursement with the client (amount, destination, account and
routing numbers, etc.)
Never authorize a disbursement that the client plans to send in the future.

Probe for clients you know well, ask about their family or latest vacation. Use
personal information about the relationship rather than account “facts”
such as social security number, account number, etc.

for clients you don’t know that well, ask about recent account activity, call
them back at a number listed on their account, establish a verbal
password or use video conferencing.
Ask Questions about how the client got the instructions. Did they speak to the person
giving them the instructions and/or receiving the funds? For high value
clients, offer to verbally confirm the disbursement instructions directly with
the source.

38
Respond to a Breach
Time is of the essence, when responding to
a cyber event.
 Immediately report to the event to leadership,
our Schwab services team or relationship
manager.
 Determine the extent and impact of the event
 Work with leadership to contain the event
 Work with legal counsel on additional next
steps (e.g. communication with clients,
local/federal law enforcement, etc)
 Document all the details of the event and
actions taken.
 Debrief with leadership to understand possible
failures that led to the event and update
policies and procedures to remediate any
gaps that caused the failure.
Share the How to Respond to a Data Breach flyer
with our clients to educate them on the specific steps
and timeframes for action to minimize its impact. This
flyer can be downloaded from Schwab’s Cybersecurity
Resource Center.
39
Points to Remember

 Beware of suspicious behavior and look/listen for red flags

 Understand firm policies and procedures for protecting firm and client
information
 Don’t take shortcuts. Adhere to firm policies and procedures (e.g. client
authentication, etc.) – no exceptions.
 Report all unauthorized transactions to Schwab, regardless of whether
or not they were successful
 Report suspicious behavior and emails to firm leadership
 Do not open or download files from untrusted sources
 Help to educate our clients on behaviors and practices for protecting
their personal identifiable information

40
Resources

41
Resources
Visit Schwab’s Cybersecurity Resource Center

[Enter Your Firm Name] Resources:

 [List firm-specific resources]

Charles Schwab & Co., Inc. Resources:

 Contact Schwab service team or our Schwab relationship
manager to validate suspicious emails
 Visit Charles Schwab Client Learning Center

Additional Resources:
 [Add other resources you feel would be helpful to your
employees, or delete this copy and icon]

42
Additional Resources

Industry Resources: To Report a Cybercrime:

 Go to StaySafeOnline.org and review  Forward suspicious emails to:
the STOP. THINK. CONNECT.™ [email protected]
cybersecurity educational campaign
 Visit www.identitytheft.gov to report
 Visit OnGuardOnline.gov, also a part identity theft and to get a recovery plan
of the STOP.THINK. CONNECT.™
 Go to FTC.gov for additional consumer
campaign, that focuses on online security
for kids and includes a blog on current resources and to report identity theft
cyber trends  http://www.ic3.gov/default.aspx is another
 Visit https://www.fbi.gov/scams- website where you can file cybercrime
safety/fraud to learn more about common complaints
fraud schemes

43
Thank You

44