Why Reverse Mortgage Lenders Are Attractive Targets for Cybercrime

Cyberattacks have made weekly — and sometimes even daily — headlines in recent months, from landmark data breaches such as those experienced by credit bureau Equifax and insurance provider Anthem.

And mortgage companies are increasingly a target, says one expert who has studied the market for cyberattacks — most of which today are phishing attacks, or those that seek information via e-mail purporting to be a reliable source.

“The bulk of hacks that end up with a data breach are coming from phishing attacks — 91% start with phishing,” says Justin Kirsch, founder of Folsom, Calif.-based mortgage technology and information security company Access Business Technologies. “They are more like your marketing team than a hacking team. Mortgage companies are being targeted. Phishing schemes are e-mailing every loan officer at a company asking for their username and password. Then they just log straight into your system.”


The number of cyberattacks doubled in 2017, according to the Online Trust Alliance. Yet 93% of breaches could have been avoided through simple steps, Kirsch says in research he published in a recent white paper. Among those steps: regularly updating software and leveraging modern cloud-based solutions.

Why they hack

Most hacking schemes are financially motivated, with data being sold on the black market, or being shared to wire funds or otherwise access money.

“They can prey on your clients, taking out loans in their name or stealing money,” Kirsch said during a presentation ReverseVision’s UserCon in San Diego earlier this month. “In the last two years, hackers have figured out financial institutions have the most information they want to get to. Of the financial organizations, mortgage companies have the most nonpublic personal information (NPI) of anyone out there. It’s even more than a typical bank, unless the bank is doing a mortgage for the customer. You have more information that can help steal someone’s identity.”

Of the breaches that took place in 2017, 24% affected financial organizations, according to Verizon’s 2017 Data Breach Investigations report. Second to financial organizations, 15% of breaches targeted healthcare companies and 15% targeted retail companies. The public sector was targeted in 12% of attacks.

What mortgage companies can do

Mortgage companies, including small independent organizations, are not defenseless against cyberattacks. There are two main protections lenders and brokers can take, which Kirsch likens to wearing a seatbelt and driving a car that has airbags.

“The equivalent to seatbelt in cybersecurity is two-factor authentication,” Kirsch said. “The programs and software you use have to have it.”

In two-step authentication, a user is prompted to take a second action upon attempting to login — usually a code or notification sent to another device, such as the user’s phone if he or she is logging in via computer.

The second measure, like driving a car with airbags, is modernizing IT systems. This includes storing information on the cloud rather than on devices, performing regular software updates, ensuring laptops and PCs are two years old or newer, and getting an email guardian.

Additional protections may include updating password protection policies and embracing new cloud services. But above all, mortgage companies need to be open to change.

“People are resistant to change,” Kirsch said. “I’m working for [many] mortgage companies now. They are resistant.”

Written by Elizabeth Ecker

Join the Conversation (1)

see all

This is a professional community. Please use discretion when posting a comment.

  • In 1998 and onward there was a big scare that because a substantial portion of the software only held two digits for the year of a date, we would see massive computer failures across the country on January 1, 2000; the scare was known as Y2K. Yet through diligent and thorough care, what was feared was largely avoided. Since that scare stole the headlines in those years the failure of at least equal concern slipped through the cracks.

    During the same time period, the AICPA with several large security companies began exploring the certification of cyber security. CPAs were being trained to attest to the security of a company’s computer system. As the cooperation progressed, it was soon determined that the level of assurance that CPA firms could provide was at such a low level, the professional liability insurance carriers of those firms begin denying coverage for such services. That was the end of opening a new area of practice for CPA firms.

    Essentially what was discovered was that a secure system today was the target of hackers tomorrow and that while security systems might be able to eventually detect breaches, there was no way to block them. The company under system evaluation was like NBA teams the day before facing Wilt Chamberlain’s NBA teams in his prime (except perhaps Boston when Bill Russell was playing); you knew the other team’s defense would eventually fail in that game.

    The same dilemma exists today except it has been proven true at what were once thought impenetrable computer systems. If it’s online and has any value for hackers at all, it will be penetrated; the only question is how deep will that penetration get and how much will the loss and fix cost.

    Although it is logical, it is also somewhat surprising to hear of its concern at the non-bank mortgage lender level.

string(111) "https://reversemortgagedaily.com/2018/02/27/why-reverse-mortgage-lenders-are-attractive-targets-for-cybercrime/"

Share your opinion

[wpli_login_link redirect="https://reversemortgagedaily.com/2018/02/27/why-reverse-mortgage-lenders-are-attractive-targets-for-cybercrime/"]