Back to Blog Topics

Operator: Good afternoon. My name is (Ronnie) and I will be your conference operator today. At this time, I would like to welcome everyone to the Raymond James Cyber Security Conference Call.

All lines have been placed on mute to prevent any background noise. After the speaker’s remarks, there’ll be a question-and-answer session. If you like to ask a question during this time, simply press star then the number one on your telephone keypad. If you like to withdraw your question, press the pound key.

Thank you. I would now like to turn the conference over to Jim Schmidt. Please go ahead, sir.

James Schmidt: Thank you. Thank you, (Ronnie) and thank you all for your interest in today’s call and dialing in.

It’s a privilege to present this cyber security program today and have Todd Ferguson on the line with us to do so. Todd’s a former sergeant in the U.S. Marine Corps. He did that for almost 10 years. Started working for Raymond James in Florida in 2000 after jumpstarting his career with a three-year stint at the financial services firm, (Inaudible) in Florida.

Since 2000, Todd has been a systems engineer, senior network engineer and for the past 12 years has worked within and protecting the network infrastructure of Raymond James. I’m pleased to introduce Todd to all of you today.

Today’s format will be an introduction, the description about how Raymond James protects everything from your personal information to your physical accounts. Todd will speak for about 15 to 20 minutes and has allowed time for any questions or comments afterwards.

Todd, our clients and friends, are waiting to hear from you. Please proceed. Thank you.

Todd Ferguson: Jim, thank you so much. Again, my name is Todd Ferguson. I head up information security for Raymond James. I run engineering operations and incident response, which is just a technical fancy way of saying I run all the technical aspects.

So today, what I’m going to talk to you about is the general situation as we see it and is relative to financial services, the threat as we see it again in the – across the globe and specific to Raymond James and even more specifically to our clients, how we combat this with our information security strategy, our defensive strategy and then how we specifically protect against certain aspects. And then I promise to close at the end with ways that you can help protect yourself as well.

So let’s talk about the general situation. And I think everybody would agree there’s not a day or week that goes by that we probably don’t see some type of news headlines around data breaches, hacking, et cetera in almost every form of news. This transcends almost every single vertical agency and even governments, unprecedented levels of cyber activity, I mean, that we’ve seen. Additionally, the global economy and the borderless environment really adds the complex and is driving part of this.

If we think about this, you know, financial services specifically that we’re one of the number one targets according to some agencies for cyber-attack. Part of this is that more and more you’re seeing cyber aspects, you know, your online banking, you’re doing things that typically you would have done physically 20, 30 years ago is now almost completely digitized and that provides an avenue for cyber attackers.

Additionally, we’re seeing that everything is becoming more mobile, right? So you’re running around typically with your smart phone that has the computing power, that is (in excess) of what it took to put the shuttle in space and men on the moon. So with that comes a level of complexity and also a level of ease.

So if we talk about the general situation and we know that it’s increasing who is it and why are they doing it? And I’ll kind of break it down into what we believe are the five types of categories that we see, and then I’ll focus on some that are specific to, again, what we see in financial services.

You basically have, you know, your criminal activities, criminal actors, a nation states or spies, hacktivists, insiders and partners. And the ones I think that we see the lion’s share of why the media loves to talk about the nation state activities of other countries, typically in financial services, by and large, we will see that it’s criminal actors.

And so the next question will be well why are the criminal actors so active in this area? And the simple is it’s around monetization, right? So these are former organized criminal gangs or some that are – recently stood up that basically are just taking physical crimes and throwing them in cyber. You know, they’re basically running the same frauds that they were previously.

So the financial motive is, again, that the largest one that we see. Now, we can think about typical cases, you know, target JPMC, even some of the e-mail hacking schemes recently but generally, what they’re after is some way to monetize that – and I’ll talk a few ways that they’re doing that today.

While we also hear about hacktivists, typically those tend to get a lot of press as well but they tend to not be a non-event. They’re usually running denial of service attacks, trying to stop our ability to service our clients but generally not going after the financial aspects.

Probably the two most prevalent ways that we’re seeing attacks today and by the criminal actors is either credential theft for use later on or ransomware and let’s start with the ransomware aspect.

Ransomware today is we’re – in essence, an attacker will entice you in some way to run some type of program that will encrypt your hard drive and in doing so, they will prompt you for payment. At the end of the day, this is all again about the monetization. They’ve turned this into a business model and we’ve even seen where the criminal actors are standing this up as with call centers to service the call as well because at the end of the day, they want to obtain funds.

Now, it’s not always a guarantee if you pay them that you’re going to get your data back, and we’ll talk about it later on in a way that you can help protect that.

Additionally, we’ve seen where, you know, previously and especially in the last, you know, 10 years or so, it’s become easier and easier to do this. It used to be that this was, you know, folks that were very technically competent. They were – they were the ones that were writing the malware, installing it and running the infrastructure. Today, it’s become a full-fledged business and almost a vertical.

Malware today can be purchased as a service. Denial of services can be bought simply with a credit card and the access to the right Internet forums. You no longer have to be technically competent to launch these types of attacks, which is making them more and more prevalent in lowering the barrier to entry and making it more attractive from a criminal aspect.

Secondly, we talk about credential theft, and this is, again, a very prevalent aspect that we see and it takes forms of phishing or drive-by, et cetera, whereby at the end of the day, what they’re trying to do is steal your credentials. And why are they doing that? Again, it’s back to the monetization.

Once the criminal has access to your credentials, they’ll often use those in banking schemes, try to access your bank accounts, identity theft or in some cases, if they can get access to your e-mail, they’ll find out that you have a relationship with a financial advisor or financial institution and then try and leverage that in wire fraud, ACH schemes or, again, identity theft in general.

If we talk about – especially credential theft and phishing, we really can’t talk that – about that without referencing the most recent election, right?

So John Podesta’s e-mail was hacked by the group known as Fancy Bear that’s been believed to be associated with Russia’s military intelligence. That was basically a phishing attempt where they gathered his credentials and then used that to gain access to his e-mail to further again their intent. While it wasn’t criminal in this particular nature, it was more around nation state but it’s very important that you remember that because we’re going to talk about how you can help protect yourself. But that particular group had compromised somewhere in the nature of 4,000 Gmail accounts, right?

So how are we combating this? And this is really important. So we’ve got a strategy that begins with protect and that’s pretty obvious, right? We want to stop the threat, we want to stop the attackers and how do we do that? Quite frankly, best protective measures money can buy. That may be software, hardware et cetera.

However, we also turn that into, you know, creative solution design and how do we apply that so that it’s unique and helps protect Raymond James?

The next phase is detect, and I think, again, this is pretty popular in the papers today where they’d stay at optimal state. It’s not a matter if you’re going to be compromised, it’s when. So we operate with the mantra of assume that our protective measures are at some point going to fail and how are we going to respond to that?

So we spent a lot of time in testing ourselves, testing our capabilities and ensuring that we’ve got near real-time detection of when bad things happen. And then we’ll come from situational awareness, right? So we’ve gotten to our environment. We keep tabs on the attacker groups out there. Why they think we’re interesting? Why they’re after the financial services industry?

Our next focus is develop and when you – when you think about (here), “OK. Well, what are we developing?” Well, at the end of the day, a lot of this comes down to people, right? So we’ve got to develop our people. We can buy the most expensive and the highest tech – the highest tech out there but that doesn’t mean it’s going to protect Raymond James by itself. So again, it – at the end of the day, it comes down to our folks so we develop them in terms of training, access to resources, ensuring that we’re bringing in the best and the brightest.

And the last phase of that is we partner. Who do we partner with? Well, we’re partnering with other folks in industry. We’re a member of FS-ISAC and FS-ISAC is basically just an information-sharing group within financial services sector that serves as an anonymous clearinghouse for information.

And the reason that’s important is literally, we and other financial services, are all contributing to that so that if we see an attack, we’re sharing it with other financial institutions. If other financial institutions see an attack, they’re doing likewise. So that allows us to basically extend our visibility pass our borders into the other financial institutions and take action against that. Additionally, we’re partnering with local law enforcement, national law enforcement and other industries as well.

When we talk about state-of-the-art defenses in the best technology and the best protective measures that money can buy, we run this as a – just like a portfolio or financial portfolio overlapping technologies, defense in depth. And what do we mean by that? So if, for example, standard e-mail today when it arrives at Raymond James is scanned and assessed by no less than five systems. And even then, we’re still combating the attacker out there because they get to make the first move generally and they don’t have to operate within the boundaries of laws.

So very similar to an investment portfolio is about having the right mix of tried-and-true solutions with some of the most emerging or cutting-edge solutions that we can find out there and we’re always out there trying to find those folks that are coming up with new ways to combat this.

So, again, we talk about our people. We recently stood up a group called the Cyber Threat Center. It was born from various groups so that we basically brought them all together and these are the folks that we call that, you know, their eyes on glass. They’re doing the real-time monitoring. This is where we’ve got intelligence analysts that were brought out of former military or three-letter agencies and this is where we’re looking at almost everything that comes into Raymond James, to get that near real-time assessment in response to what’s going on out there.

If you – if I put this on perspective, we gather about 750 billion log events per year. That averages out between 50,000 and 60,000 events per second that are occurring on Raymond James network during the average market day. The best humans in the world can’t comb through all that and that’s where the technology comes to place but has to be coupled with humans that are applying that intelligence and thinking about that.

Of that 750 billion, about 7.5 billion of those are unusual or potentially anomalous that require somebody to looks – to actually look into and investigate that, which brings down to about 45,000 triage events for further analysis. And of those, about 1,700 are identified as potential security instance that we have to then even dig further into.

So I talked a little bit about what the state of the environment is, I talked a little bit about who the attackers are, what they’re looking for and the why and now, I promise that I would wrap it up with some ways that you can actually protect yourself.

If we think back to the Podesta example and credential theft, the number one thing that we can recommend for you to help protect you and your financial account as well as any other account is to opt for two-step verification or what’s called multifactor authentication. Google, Gmail, Microsoft, Twitter, Facebook, LinkedIn all offer this. And basically what it is, it is a one-time password that will be texted to you or sent in another manner that even if an attacker steals your username and password, they won’t be able to access your account. This is probably the number one thing that we can recommend and this is also available in investor access.

Secure your computing devices. What do we mean by that? Keep them up to date, pretty straightforward. You get those annoying patch – reminders in the lower right-hand corner. Patch your systems. The attackers, when they find a vulnerability, they’re trying to take advantage of it pretty quickly and it’s a pretty easy step for you to help protect yourself.

If you can – and I know this is a bit of a pain – we always recommend using separate e-mail addresses and what do I mean by that? Well, if you got one e-mail address that you use for your typical coupons or newsletter subscriptions, you know that that e-mail address is going to get out there. Folks are going to use it, they’re going to send you probably phishing spam et cetera. That’s fine.

What we recommend is using another e-mail address that is solely dedicated to the financial transactions. Your banks and Raymond James will never sell your e-mail address so it’s highly unlikely that you’re going to get any spam or phishing from those. And when you do and you’ll be able to typically determine pretty quickly that that’s not from Raymond James if it’s being reported so.

If you ever get an e-mail that says Microsoft needs you to call them or Raymond James need you to call them, that’s generally not the way that it’s going to happen. Or somebody calls you and says, “Hey, we’re from Microsoft and we see that you’ve got a problem,” that’s generally not going to happen. So if something of that nature does occur, insist that you get a number available to call them back and validate that number against the company that you’re expect to call you.

There are a number of ways that you can opt out as well, opt out of mailings, opt out of marketing calls, et cetera, that will help but it’s by no means a protective measure on its own.

At the end of the day, again, one of the largest things that we can recommend is to back up your data. And then we have some more example that we gave. Can you imagine losing all your photos, e-mails, et cetera? And that might compel you to pay the attacker versus if you had your data backed up, you can simply restore from a backup and not have to pay the attacker.

With that, I’ll kind of open up for any questions.

James Schmidt: Hey, (Ronnie). When you – when you give everyone the instructions on how to – how to vocalize the questions through the phone, please ask them to just use their first name.

Operator: Absolutely. As a reminder ladies and gentlemen, if you like to ask a question, press star one on your telephone keypad. Again, that’s star one. We’ll pause for just a moment to compile the Q&A roster.

And we have a question from the line of (Richard).

(Richard): Yes. Hi. If you – I’m just curious, so you get like – today like a scam call from supposedly someone purporting to be the IRS, does it pay to somehow forward that to somebody for anything or does it – or you just kill and that’s all there is to it?

Todd Ferguson: Look, we would always recommend that you report that information. You don’t know if you’re the first person. High likelihood you’re probably not and they’re aware of it but we would generally tell you to report that. Again, the IRS is one that’s never generally going to reach out to you in that manner. They’re going to send you a letter. They’re not going to call you and say that they’re from the IRS.

Some common things that you’ll be able to pick up on typically when it’s a fraudster, there’s usually some level of urgency. They’re trying to compel you to act right now, you know, either “Hey, it’s the IRS and you’ve got an issue and you need to solve this right now.” In the case of the Microsoft scams that we’ve seen, they’re calling you and tell you, “Hey, your machine is infected and you better act right now or there’s going to be a problem.” Generally, they’ll be very compelled and they won’t want to take the time to identify themselves or prove themselves otherwise. The IRS, Microsoft, if you call them, they’re going to take the time.

(Richard): Yes, OK. So I know the IRS would never contact you by mail.

Todd Ferguson: Yes. Yes. And I mean – and honestly, that’s one that, you know, in the past years, we’ve seen an uptick and not specifically the Raymond James but just in general that the IRS scams either for return fraud or compelling folks to make payment to basically a fictitious agency. We’ve seen those increased significantly. It goes back to the criminals looking to gain, again, financial gain out of this.

(Richard): Thank you.

Operator: Again, if you like to ask a question, press star one.

And your next question comes from the line of (Thomas).

Todd Ferguson: Hi, (Thomas).

(Thomas): Yes. Hi. (Ron), has Raymond James ever been compromised or victimized by these criminal groups and if so, how did they get in? Was it through a client?

Todd Ferguson: So we have not had a data breach and I’m doing a (quick) of knock on wood right now that – now typically what we see is the attacker that’s going after the client isn’t the same attacker that’s going after Raymond James as an organization. Two entirely different motivation and let me describe that for a second.

Typically, the attacker that’s going after the client is focused on doing ACH or wire fraud or some other type of payment fraud, right? They’re looking for an immediate return, whereas the attacker that probably is going after Raymond James will be looking to gain bulk amounts of data or in the case of like the SWIFT attack that’s become pretty popular doing a mass money movement.

But let me talk about the further – the first one or further because I think that’s very prevalent and this is one of the reasons we would highly compel you to try and protect yourself with multifactor authentication.

We see the sign on a weekly basis where clients themselves are getting compromised in some way. We typically don’t know how. But the attacker will take over their e-mail account, find that they have a financial service or relationship with an advisor and then actually act as the client trying to compel the advisor to execute a wire fraud, to change an ACH profile or in worst case scenario, try and login, ask you to do that yourself.

Now, in terms of Raymond James, you can’t change those aspects that you have to work through your financial advisor to set up an ACH profile to even get investor access and we are constantly working with our financial advisors to advise them of what’s happening out in the wild so they can be aware of this. And there are rules and procedures put in to how to execute wires and the types of authorizations that they need.

James Schmidt: I want to jump in on that if I can …

(Thomas): Thank you.

James Schmidt: … (Todd), for a second. We had maybe three or four occasions in the past five or six years where – that it’s happened where some outside forces taken over control of our client’s e-mail address and then – and then sent us an e-mail that says something along the lines of, “I’m lost on a fish – on a fishing trip or I’m away from the home and I need money pretty quickly and I don’t have – I don’t have a phone and I just need you to wire the money to me right away.”

Well, there’s two things that we do that we may separate ourselves from our fellow financial advisors. We don’t have a large practice. We have less than 125 clients so we know all of you very well. And we know pretty much where all of you are and we don’t have like retail account where there’s people that we don’t see once a year or don’t have regular ongoing account reviews.

So one of the things that – one of the things that prevents us from falling, we see that and we just – we actually forward e-mails like that to a special, I would call, cyber security section that, Todd, you could tell us more about or we just forward that e-mail and we say, “We think this is a fraudulent phishing scheme and scam.” And, you know, we just stop right there. But we don’t – we’ve seen that happen four or five times in the last five or six years maybe but they’re so amateurish so far – amateurish and don’t really align with what we know that you – how you normally act.

And that’s something that’s a real value in our relationships is that we know – we know you pretty well. And fortunately, you’re comfortable sharing a lot with us that allows us to be on the lookout for things just like that.

Todd Ferguson: Yes, and I think I’d follow up a little bit more on that as well. I think one of the things that you heard Jim reference there is that, again, typically there’s a level of urgency. There’s always going to be a reason why they can’t talk to you. They’ve been mugged, they’re in the hospital, they lost their phone but they need the money now. That’s usually what will be an indicator and is typically an easy one to pick up on.

We have seen attackers get more complex over time. We’ve seen some – know that they could never impersonate the client from a voice perspective. So they leverage the (DEFT TQI) system and say, “OK, I was mugged and my larynx was hurt so I’m going to sound weird.” But the attackers are looking to get more complex and they’re making changes just like we are.

Operator: And there are no more questions at this time.

James Schmidt: Well, thank you, (Ronnie) and thank you, everyone, for dialing in. It’s been an enlightening 30 minutes for sure.

Todd, I can’t thank you enough for carving up this time during your busy day to help us understand more about how Raymond James does treat these issues and I’m pretty sure there may be a question or so that comes up later in our – in our client conversations and we’ll be sure to forward them to you, if that’s the case.

Todd Ferguson: Fantastic.

James Schmidt: Great. Thank you all. All have a great rest of your day. Todd, we’ll see you next time down the home office and thank you once again.

Todd Ferguson: Thank you.

James Schmidt: Take good care now. Bye-bye.

Back to Blog Topics