Mortgage Industry Losses Due to Phishing Scams/Other Cyberattacks: Who’s Left Holding the Bag? Will Your Insurance Coverage Bail You Out?

Martin “Marty” S. Frenkel and Brian A. Nettleingham are Shareholders with Maddin Hauser, Southfield, Mich. Frenkel is an experienced business litigator and executive committee member and co-chair of the firm’s Financial Services and Real Property Litigation group. Nettleingham works with the firm’s Financial Services and Real Property Litigation and Complex Litigation and Risk Advisory practice groups. He serves diverse clients on a range of issues.

Martin S. Frenkel

It’s a busy Tuesday morning, and you have a to-do list that stretches farther than the eye can see. You turn to your emails to knock out a few quick tasks before your next meeting, and you see an email from someone you’ve worked with for years. She’s letting you know her office has updated its payment instructions for your upcoming transaction, with new wire details attached. Knowing you must confirm any changes to payment instructions by phone, you give her a quick call, and her assistant confirms the account and routing number in the attachment. You proudly check that item off your list and move on with your day.

Brian A. Nettleingham

Unfortunately, a cybercriminal has also just checked a big item off their list. They have executed a classic phishing scam, flawlessly impersonating your longtime colleague and getting you to unknowingly unlock the door to every aspect of the transaction and send hundreds of thousands of dollars to some unreachable corner of the dark web.

You are not alone in falling victim to a phishing scam. Cybercriminals have ramped up their attacks on the mortgage and real estate industries, taking advantage of the multiple entry points available in every transaction, the lack of coordinated security efforts among the parties, and the abundance of personal and financial information that awaits them after a successful breach.

Proactive steps and enhanced cybersecurity efforts are, of course, critical to reducing the risk of significant losses – and significant legal exposure – due to phishing and other data breaches. But the ceaseless ingenuity and sophistication of scammers mean even the best defenses can’t guarantee the security of a mortgage transaction or the funds involved. Lenders and other industry players must be ready to address the financial and legal implications of a successful payment diversion in a phishing scam or other attack. This includes understanding not only the nature of these scams but also the options for holding negligent parties responsible for such losses and your insurance coverage’s role in insulating your company from claims.

Weak Links in the Mortgage Lending Chain

Mortgage transactions are particularly vulnerable to phishing efforts largely due to the number of people and organizations involved in every deal. A transaction is only as secure as its weakest link, and many potential weak links exist in the mortgage lending chain. The many people and companies involved in a given transaction, including title agents, real estate and mortgage brokers, and remote notaries, may not all be practicing the same level of cyber-hygiene needed to fend off rapidly evolving threats that may not even be detectable to those with robust fraud and risk mitigation programs.

In a typical phishing attack on a mortgage transaction, a hacker inserts themselves into the deal through an email to the borrower, real estate broker, title escrow company, loan officer, or mortgage processor. The scammer does so by impersonating one of the other legitimate parties to the deal, requesting a wire transfer to an account controlled by the scammer, or asking the recipient to click on a link in the email. Clicking on such a link, of course, essentially opens the door to the entire transaction. These emails are often impeccable, mimicking the look and content of legitimate emails from an actual party to the transaction in terms of appearance, URL, and language used. For deal participants, all of whom are under pressure to move the transaction towards closing as quickly and seamlessly as possible, these meticulous reproductions can be fiendishly effective. 

And in the blink of an eye, the money is gone. Just as quickly, all eyes turn to you for answers – and every dollar of the absconded funds.

Claims Against the Weak Link

For lenders and other financial service providers that have lost money to phishing scams, identifying the party or parties who dropped the ball and exposed the transaction to fraud is the first step in determining how best to approach and remediate the situation.

A lender may assert various claims against the “weak link,” such as a mortgage broker, real estate agent/broker, or closing agent/title agent. These include claims for negligence, gross negligence, and breach of fiduciary duty, among others, that could result in a recovery from the responsible party pre or post-suit. Such claims may also trigger coverage held by that party under its E&O, Cyber, or CGL policy.

Regarding the bank that received the transfer, there could also be claims for negligence, violation of the Electronic Funds Transfer Act, or Article 4A of the UCC, to name just a few bases for potential liability. The odds of such causes of action bearing fruit become significantly greater if it can be shown that the receiving bank failed to comply with its own internal policies and practices regarding such acts, the Bank Secrecy Act, or Anti-Money Laundering statutes. 

Shoring Up Your Defenses

Unquestionably, lenders and other related mortgage and real estate industry players need to significantly enhance their cybersecurity efforts to keep pace with unrelenting cybercriminals’ creativity. This includes taking a multilayered and fully integrated approach that provides multiple levels of authentication and verification tailored to the transaction’s potential risk and adding third-party, real-time data and transaction tracking tools.

Examples of steps that lenders can take to shore up their defenses include:

  • Having an internal policy requiring employees to independently locate and contact the closing company via phone to confirm the intended closing, verify its details (ensuring that the closing is real), and verify contact information for sending wire instructions to see if it matches the spoofed email (close examination should demonstrate the information does not match, thereby potentially preventing the fraud). 
  • Communicating with the borrower using an encrypted service and advising the borrower that only communications sent in this manner are reliable (a further safeguard against inadvertent dissemination of information about the transaction). 

Enhancing Your Cybersecurity Insurance Program

Besides increasing active security measures, lenders should also review and enhance their insurance coverage programs to insulate themselves against liability for attacks and losses due to phishing and other cyberattacks to the extent possible. This should include obtaining coverage under their own E&O or CGL policy or securing a fidelity bond relating to employee negligence and malfeasance in financial transactions.   

Additionally, purchasing a cybersecurity insurance policy can fill cyber liability coverage gaps in existing property, general liability, professional liability, directors and officers, and employment practices policies. Such policies typically provide multiple benefits in the event of a breach, including:

  • Insuring against theft, loss, or unauthorized disclosure of consumers’ personal information.
  • Assisting with compliance with breach notification laws.
  • Providing separate limits to cover the cost of determining the cause of the breach, attorney’s fees to comply with applicable breach notification laws, and costs for ongoing credit monitoring.
  • Covering public relations and crisis management expenses.

The last, and perhaps most important point, is urgency. When you discover a phishing scam, you must act quickly for both the purposes of providing you with any chance to recover stolen funds and placing insurance carriers and potentially responsible parties on notice.

(Views expressed in this article do not necessarily reflect policy of the Mortgage Bankers Association, nor do they connote an MBA endorsement of a specific company, product or service. MBA NewsLink welcomes your submissions. Inquiries can be sent to Mike Sorohan, editor, at msorohan@mba.org; or Michael Tucker, editorial manager, at mtucker@mba.org.)