Lots of Weak Links: Phishing Threats and Other Cyberattacks Against Mortgage Industry Require Increased Countermeasures
By Martin S. Frenkel and Brian A. Nettleingham
Any cybersecurity program is only as strong as its weakest link. And in a mortgage industry that increasingly has so many players in a given transaction and relies on mobile and online platforms for even the most complex transactions, there are plenty of weak links.
Hackers and scammers have focused their sophisticated and evolving efforts on mortgage lenders and related service providers because of the multiple entry points available, the lack of coordinated security efforts, and the riches in personal and financial information that await them after a successful breach. With the pandemic further accelerating the move to virtual transactions, including more financial employees working from home, the threat of fraud and scams has only grown.
According to the 2021 edition of the LexisNexis True Cost of Fraud Study: Financial Services & Lending, released in January of this year, the cost of fraud for U.S. financial services and lending firms rose between 6.7% and 9.9% during the pandemic. But the fraud costs soared even more in mortgage lending, rising 23.5% compared to before the pandemic. Fraud costs and attack volumes remain significantly higher as we move through 2022, with many experts predicting that Russia’s struggles in its invasion of Ukraine, and the crippling economic sanctions that followed, will lead to more aggressive cyberattacks originating from the country.
Playing on the Scammers Turf
In a way, hackers and cybercriminals have not descended on the mortgage industry so much as mortgage lending (and residential real estate transactions generally) has moved onto their turf. Lenders have responded to pandemic-driven consumer demand, as well as the push from the real estate industry, for online convenience and real time transactions, expanding the number of touchpoints for possible breaches. Also, the many individuals involved in a given transaction, including title agents, real estate brokers, and remote notaries to name a few, may not all be practicing the same level of cyber-hygiene needed to parry rapidly evolving threats that may not even be detectable to those with robust fraud and risk mitigation programs.
Mortgage transactions are particularly vulnerable to phishing scams. A typical phishing attack involves a hacker inserting themselves into a mortgage transaction through an email to the borrower, real estate agent, a title escrow company, or a loan officer, involved in the transaction. The hacker impersonates one of the legitimate parties to the deal seeking a wire transfer to an account controlled by the hacker, or asking them to click on a link contained in the email. Clicking on such links, of course, essentially opens the door to the entire transaction. These emails do an impressive job of mimicking the look and content of emails from a legitimate party to the transaction in terms of the appearance of the e-mail, url, and language used, making it extremely difficult for the transactional players, who are under ever increasing pressure to move the deal forward as quickly and seamlessly as possible, to tell the difference.
Convenience v. Security
Unquestionably, lenders and other related real estate industry players need to significantly ramp up their cybersecurity efforts to keep up with the creativity and relentlessness of hackers and scammers. This includes taking a multilayered and fully integrated approach that provides for multiple levels of authentication and verification tailored to the potential risk of the transaction, as well as adding third-party, real-time data and transaction tracking tools.
The challenge for lenders is that consumers and real estate industry providers expect speed and convenience in their interactions. They want easy access throughout their transaction, regardless of the platform or device they use. Security measures that are too onerous or increase friction in the customer experience can harm a lender’s brand. But that harm must be weighed against the even greater damage that can result from inadequate security measures.
Lenders and other financial servicers that have lost money to phishing scams and cyberattacks have tried unique litigation strategies to try to recover those funds, but such efforts are far from easy and can’t be counted on to bear fruit.
Review and Enhance Cybersecurity Insurance Coverage
Besides increasing active security measures, lenders should review and enhance their cybersecurity insurance coverage to insulate themselves against attacks and data breaches. Such policies typically provide multiple benefits if a breach occurs, including:
- Insuring against theft, loss, or unauthorized disclosure of consumers’ personal information.
- Assisting with compliance with breach notification laws.
- Providing separate limits to cover the cost of determining the cause of the breach, attorney’s fees to comply with applicable breach notification laws, and costs for ongoing credit monitoring.
- Covering public relations and crisis management expenses.
- Filling cyber liability coverage gaps in existing property, general liability, professional liability, directors and officers, and employment practices policies.