Cyberattacks have made weekly — and sometimes even daily — headlines in recent months, from landmark data breaches such as those experienced by credit bureau Equifax and insurance provider Anthem.
And mortgage companies are increasingly a target, says one expert who has studied the market for cyberattacks — most of which today are phishing attacks, or those that seek information via e-mail purporting to be a reliable source.
“The bulk of hacks that end up with a data breach are coming from phishing attacks — 91% start with phishing,” says Justin Kirsch, founder of Folsom, Calif.-based mortgage technology and information security company Access Business Technologies. “They are more like your marketing team than a hacking team. Mortgage companies are being targeted. Phishing schemes are e-mailing every loan officer at a company asking for their username and password. Then they just log straight into your system.”
The number of cyberattacks doubled in 2017, according to the Online Trust Alliance. Yet 93% of breaches could have been avoided through simple steps, Kirsch says in research he published in a recent white paper. Among those steps: regularly updating software and leveraging modern cloud-based solutions.
Why they hack
Most hacking schemes are financially motivated, with data being sold on the black market, or being shared to wire funds or otherwise access money.
“They can prey on your clients, taking out loans in their name or stealing money,” Kirsch said during a presentation ReverseVision’s UserCon in San Diego earlier this month. “In the last two years, hackers have figured out financial institutions have the most information they want to get to. Of the financial organizations, mortgage companies have the most nonpublic personal information (NPI) of anyone out there. It’s even more than a typical bank, unless the bank is doing a mortgage for the customer. You have more information that can help steal someone’s identity.”
Of the breaches that took place in 2017, 24% affected financial organizations, according to Verizon’s 2017 Data Breach Investigations report. Second to financial organizations, 15% of breaches targeted healthcare companies and 15% targeted retail companies. The public sector was targeted in 12% of attacks.
What mortgage companies can do
Mortgage companies, including small independent organizations, are not defenseless against cyberattacks. There are two main protections lenders and brokers can take, which Kirsch likens to wearing a seatbelt and driving a car that has airbags.
“The equivalent to seatbelt in cybersecurity is two-factor authentication,” Kirsch said. “The programs and software you use have to have it.”
In two-step authentication, a user is prompted to take a second action upon attempting to login — usually a code or notification sent to another device, such as the user’s phone if he or she is logging in via computer.
The second measure, like driving a car with airbags, is modernizing IT systems. This includes storing information on the cloud rather than on devices, performing regular software updates, ensuring laptops and PCs are two years old or newer, and getting an email guardian.
Additional protections may include updating password protection policies and embracing new cloud services. But above all, mortgage companies need to be open to change.
“People are resistant to change,” Kirsch said. “I’m working for [many] mortgage companies now. They are resistant.”
Written by Elizabeth Ecker