#MBASpring21: Tracking Cybersecurity Threats

((l-r) John-Thomas Gaietto, Thomas Clerici)

Last year was a challenging one for many reasons. Beyond the global pandemic, there was record growth in cyber threats that affect mortgage companies, analysts said during MBA’s Spring Conference & Expo 21.

“Throughout 2019 and into 2020, the common threat vector most people talked about was ransomware,” said John-Thomas Gaietto, Executive Director of Cybersecurity Services with Richey May & Co. LLP, Englewood, Colo.

Research by Palo Alto Networks found ransomware increased at a 171 percent year-over-year pace and reached almost $850,000 per incident. “The good news is that ransomware was not the number one issue in the mortgage industry last year,” Gaietto said. “But we saw a dramatic increase in email scams targeting both mortgage industry employees and consumers as well. Just after many states locked down last March, that rate doubled and has continued to have tremendous volumes throughout 2020 and into 2021.”

Gaietto said bad actors have started to use cloud-based services. “Just as our industry has leveraged software-as-a-service or SaaS platforms for origination and improving underwriting, the bad guys have created something called ‘crimeware as a service,’ or CaaS,” he said. This crimeware as a service has become the new normal as the barriers to entry for hackers continue to decline. “It’s creating an easy way for bad guys to create scam emails,” he said. “There’s also been a massive increase in scam text messaging and malware targeting organizations.”

Though many mortgage firms have made massive investments in anti-malware, “it’s still very, very important to continue to educate your employees on what these scams look like,” Gaietto said. “Educate them in how to handle questionable emails that arrive, because it’s easy for one attachment that looks legitimate to come in and as soon as someone clicks on it, you could have a ransomware attack or a data breach on your hands.”

Gaietto noted ransomware has fallen a bit in the threat stack as malware and exposed data threats have grown. “The reason for that is the pandemic, which pushed many people into a remote work environment,” he said. “The bad guys have realized that many people are becoming more conditioned to not question digital messages as much as they used to. What might have been a telephone call or some other walk-up transaction are starting to be sent via instant messages and email. And the bad guys are preying on that.”

On the consumers’ side, Gaietto said as the origination process becomes increasingly digitized, new challenges are emerging where bad actors persuade the consumer to wire their earnest money or other funds to different areas. “They are leveraging a sense of urgency,” he said. “In many markets across the U.S., the availability of housing is constrained, which creates urgency in the consumer. When any message comes in, the odds of a bad guy being able to bait the hook and reel the consumer in increase dramatically. Those odds will likely continue to increase the longer we are in this pandemic and the longer we continue to rely on digital communications.”

To address these emerging threats, Thomas Clerici, Executive Vice President and Chief Technology Officer/Chief Information Security Officer with Freedom Mortgage Corp., Indianapolis, said mortgage firms must ensure they are hiring and promoting the right people. “You wouldn’t make a junior financial analyst the CFO,” he said. “Take the same approach with cyber security.”

Make sure your IT team takes care of the basics, Clerici said, noting that in many cases, cyberattacks that were successful were not necessarily complex attacks. “The security basics would’ve prevented many of these issues,” he said. In addition, always manage your third-party vendor risk. “In this industry, there are not too many companies that go it alone,” Clerici said. “You have third parties that you have to rely on that provide a service. At the end of the day, their compromise can become your compromise. So you need to have some type of due diligence in place to show that you’re being responsible.”