As more and more business happens through the internet, cyber threats have become a common concern for most. It is predicted that a new cyber attack happens every 11 seconds.
Mortgage lenders are often targets of hackers because of the high-value transactions taking place with their clients. While big companies have gone to great lengths to protect their corporate security infrastructure, cyber safety on the consumer level is still “woefully inept,” according to Chase Cunningham, chief strategy officer at cybersecurity firm Ericom Software.
“We still have this issue of people not accepting that they need to make cyber security, and the need for security, part of their everyday lives,” he said.
Issues on the consumer side of internet operations are simple to exploit. It requires extra vigilance on the part of mortgage companies to protect client information, as well as their own operations. The more attention paid to security will lead to payoffs down the road.
“There’s data that proves if you have real security in place, you are able to do business quicker, better, faster, and people will be willing to do more business with you. So it’s a business benefit to do security.”
Awareness and precautions go a long way toward preventing cyberattacks, and there are several steps mortgage companies can take to ensure their businesses are knowledgeable and prepared to deal with threats.
Phishing and identity theft
Compromised credentials and phishing are the most common methods of cyberattacks, Cunningham said. “And those are so prevalent that it’s an everyday, every hour thing.”
Phishing is a termed used for when fraudsters make emails look like they are coming from a legit business in order to obtain personal data. In addition, the text-message equivalent of this is referred to as smishing. These are both common entry points leading to theft of personal information. Once fraudsters can obtain personal credentials, that person’s contacts are immediately threatened as well.
“When they infiltrate a victim, they record everything that’s going on in their browser,” said Oleg Kolesnikov, vice president of threat research and detection at security analytics and operations management platform Securonix.
“The browser has special session-related cookies. So they could impersonate the person browsing to their bank or their mortgage provider. Then, following that, they basically leverage those to apply for mortgages and they can as part of doing that they can impersonate the browser of the user.”
The consequences of the initial breach commonly can lead to wire fraud, a trend that Todd Keller, chief information security officer at Cherry Creek Mortgage, has seen increase over the past few years. But it also opens the door to possibly more serious outcomes, including ransomware attacks.
“The bad guys get access to your system, and then, once they have a foothold on the network, they move laterally,” Keller said. “They start to own other systems, find out what’s happening on the network. Where’s the data? Where’s the crown jewels? How can I get that out?”
The mortgage industry is particularly vulnerable to infiltration due to the common use of email usage for business.
“Email continues to be ubiquitous in the mortgage industry for transacting a loan,” Keller said. “So you’re working with a lot of third parties — whether it’s title, real estate, the borrower themselves — and a lot of that information about specifics around the loan will be communicated via email. So the bad guys realize this, and that’s an easy target.”
More Parties=More Risk
Aside from threats posed through their emails, third and fourth party participants within the mortgage process add an extra layer of risk, said Keller. We have seen a significant uptick in terms of outside risk to lenders and their clients over the past few years.
“That would be an example of a fourth-party risk,” Keller went on, illustrating the potential for confusion, “Where ‘Wait a minute, you’re telling me that this software component from a third-party software that I didn’t even know one of our third-party vendors is using is potentially compromised, and there are active attacks going on?’”
Personal date sold on dark web
The dark web can only accessed through special software and is a safe haven for cyber criminals. The dark web marketplace allows stolen personal information to be bought and sold. This is the starting point for many criminals to obtain information about potential victims. Data suggests 3 billion compromised usernames and passwords are on the dark web, Cunningham said.
Also available on the dark web are phish kits — pieces of web code that mimic a login page for a legitimate company. “Anybody who really wants to can go purchase that and register a domain name,” Keller said. “And within 15-20 minutes, they can drop that on there, and lo and behold, they can start sending phishing email.”
Mortgage banks are less likely targets for ransomware attacks — but danger still lurks
Fortunately, for a large section of the mortgage industry, malware and ransomware attacks do not pose as big a threat as in other industries thanks to the investments large banks realized they needed to take.
“The bad guys are going after the lowest-hanging fruit, and banks often are not. They have controls in place,” Kolesnikov said.
But by no means are other real estate and mortgage-related businesses immune from ransomware attacks. Smaller mortgage banks are also seen by cyber criminals as easy targets.
“They go downstream and look for these little mortgage providers that have five employees, twenty employees that are all remote, all digital,” said Cunningham. “They go after them and work their way up.”
Remote work has created more opportunities for fraudsters
Remote work has created more potential for online fraudsters. Working from home usually does not offer the same cyber protection to employees as working in the office does.
“Whatever device they use to access the network, that is an entry point into an internal network. Those devices need to be secured,” said Stephen Lineberry, chief information security officer at Blue Sage Solutions, the digital loan origination platform. “And there’s cases where the company doesn’t even own the device, so they have a really hard time putting controls on it.”
“When that device is outside, it brings all kinds of concerns,” he said, adding that policies need to be set around non-company devices and included in security awareness training. Everything from weak passwords to unfamiliar wifi networks can invite threats to a company’s system.
“Anything that creates an opportunity for someone to take that device and get into your internal network needs to be addressed,” Lineberry said.
Every company is a target, but precautions are simple to take
Simple safeguards can be put in place to greatly reduce risk. Precautions such as software patches and multi-factor authentication security are recommended by experts.
“If you do these things, you actually reduce a lot of your risk, and it’s things like — make sure all your systems are patched up, know what systems are accessing your systems. So patch them. Get MFA set up anywhere and everywhere,” Keller said. “Just by doing some of those basics, we just reduced our risk pretty significantly.”
Companies should frequently be testing that their security measures are working since they tend to wear down.
“I think sometimes there’s a false sense of security related to the fact that we have controls in place and therefore we are protected. Controls often does not mean protection. Protection has to be validated and validated on a continuous basis,” he said.
It is so important that companies make security and security threats an integrated part of their training. Employees should know how to spot potential threats and know how to react accordingly.
“I think it’s a fair statement to say there’s going to be attempts on everyone,” he added. But the attempts won’t turn into incidents if the precautions are taken. While no system can be foolproof, the organizations who take cybersecurity risks seriously will still end up ahead.
“Information security — it’s impossible for it to be perfect. You just need to be better than everyone else that you can, because then you’re not an attractive target,” Lineberry said.
Emerald Glen Title Agency takes pride in protecting your personal information. It is important to know that our email will always end in @egtaltd.com. Also we will never change wiring instructions during a transaction. In addition, we will never call you to change the wiring instructions. Knowing how to spot phishing and other fraud tactics will help protect you and your finances.
This article was sourced from National Mortgage News.