The Evolving Cyber Threat

Originators need to know about the latest cybercrimes and how to stop them

As digital crimes grow increasingly sophisticated, residential and commercial loan originators find themselves at the heart of a cybersecurity storm. Managing vast sums of money and troves of sensitive information — ranging from Social Security numbers to payroll information and banking credentials — loan originators are prime targets for cybercriminals. Yet, despite the risks, many in the industry remain woefully unprepared for the threats they face. Loan originators can better protect themselves, their clients and their reputations by understanding threats and regulatory requirements, as well as by learning about recent real-world examples.

Prime targets

Imagine a loan originator’s inbox: dozens of emails flying back and forth between borrowers, real estate agents, attorneys, title companies and other financial institutions. With hundreds of thousands — sometimes millions — of dollars at stake in each transaction, it’s no wonder cybercriminals see the real estate sector as a gold mine. The stakes are high, and so is the potential payout for anyone who manages to exploit weak cybersecurity defenses

One of the most dangerous forms of attack that loan originators face is the business email compromise. In these schemes, cybercriminals infiltrate a company’s email system, impersonate employees or clients, and divert funds intended for legitimate transactions. These attacks are so convincing that even seasoned professionals can be duped. Sometimes hackers will register domains that are confusingly similar to those that the loan originator is used to dealing with and use the new domain to trick the originator or the client into wiring funds to the wrong account.

Take, for example, a well-known national title insurance company. In 2019, cybercriminals intercepted email communications between the company and clients, sending fraudulent wire instructions that caused clients to lose hundreds of thousands of dollars. The company was left scrambling to recover the funds and repair its reputation.

This wasn’t an isolated incident — email compromise attacks on loan originators and title companies have skyrocketed. Another example of a high-profile data breach took place in 2020 when more than 885 million real estate transaction records were exposed due to a business email compromise attack, putting borrowers’ financial information at risk.

Frustrated borrowers

These aren’t just isolated instances in which a few bad actors get lucky with companies that are unaware. Even one of the largest banks in the world faced a distributed denial of service attack in 2021. In these types of attacks, a malicious actor floods the targeted host or network with traffic until the victim cannot respond or simply crashes, preventing access for legitimate users.

The attack disrupted the bank’s mortgage and loan origination services. The bank’s website and applications were inaccessible for days, delaying transactions and leaving frustrated borrowers in the lurch. And these attacks are becoming more common as hackers seek not just quick financial wins but also the ability to cripple a company’s operations, demanding ransom in exchange for restoring services.

Cybercriminals are always looking for the next loophole to exploit, and SIM swapping is another increasingly popular method. In these attacks, hackers convince mobile carriers to transfer a victim’s phone number to a new SIM card, gaining access to two-factor authentication codes and other sensitive information.

In 2022, a large, online, big brand mortgage lender, was hit with a SIM swapping attack that allowed hackers to access internal systems, reset passwords and steal sensitive client information. Several clients had their personal financial details stolen, leading to fraudulent wire transfers and a flood of legal complaints.

Legal quagmire

Recovering funds from business email compromise frauds or data breaches are notoriously difficult for victims of these attacks, including companies and their customers. Traditional negligence claims are often unhelpful when it comes to cyberattacks. In cases such as the title company mentioned above, plaintiffs tried to argue that the company had been negligent in securing its email systems.

Proving negligence in court, however, is far from simple. Plaintiffs must show that the company failed to exercise reasonable care, but in today’s ever-evolving cyber landscape, it’s tough to define what “reasonable care” means.

What’s more, in many cases, contractual clauses make it the borrower’s duty to verify wire transfer instructions. In such scenarios, courts often dismiss negligence claims, leaving borrowers with few avenues for recovering their losses. This legal quagmire only serves to underscore the need for stronger preventative measures within the industry.

Compliance standards

Given the severity of these cyber risks, loan originators are subject to federal and state regulations designed to protect consumer data, including The Gramm-Leach-Bliley Act, which is one of the most important federal statutes for financial institutions regarding information security and privacy.

The act requires financial institutions, including loan originators, to safeguard nonpublic personal information and maintain a written information security plan. Loan originators must continuously assess risks, train employees on cybersecurity, and confirm that third-party service providers meet strict security standards

In Florida, loan originators must also comply with the Florida Information Protection Act. This
law requires businesses to notify affected individuals and the Florida attorney general within 30 days of discovering a data breach involving personal information. Non-compliance can result in hefty fines, including up to $500,000 for severe violations.

The New York State Department of Financial Services and other governing entities have similar requirements. These laws aren’t just bureaucratic red tape; they represent minimum standards for protecting sensitive financial information. Failing to meet these standards can result in significant financial penalties and reputational damage, as many companies have learned the hard way.

Some of the most common types of cyberattack

  • Business email compromise: Criminals infiltrate a company’s email system and
    steal money.
  • Distributed denial of service: A network is bombarded with traffic, preventing access for real business.
  • SIM swapping: Hackers convince mobile carriers to transfer a victim’s phone number to a new SIM card, gaining access to two-factor authentication codes.

Test vulnerabilities

The risks are clear, and the legal landscape makes it obvious that loan originators need to take cybersecurity seriously.

First and foremost, originators should implement multi-factor authentication across systems, devices accounts and apps, particularly those handling sensitive financial transactions. The Cybersecurity and Infrastructure Security Agency has said that using this form of authentication “can make you 99% less likely to get you hacked”. While this system isn’t foolproof (as in the case of SIM swapping), it adds an additional layer of security that can thwart many basic attacks involving credential theft.

Additionally, encryption should be standard for all data — both at rest and in transit. Too often, companies rely on outdated or weak encryption protocols, leaving sensitive data vulnerable to interception. Strong encryption is a simple, yet effective way to protect a borrower’s information from prying eyes.

Employee training is another critical component. Cybercriminals frequently exploit human error, using phishing emails to gain access to company systems. Loan originators should invest in regular cybersecurity training for employees, including phishing simulations, to keep staff vigilant. This proactive approach can make a significant difference in preventing business email compromise and other frauds.

And remember, testing your systems for vulnerabilities is just as important as training employees.
Penetration testing — where ethical hackers attempt to breach your systems — can help identify weaknesses before cybercriminals do. Regular audits and updates to software and security systems should be part of a broader incident response plan that prepares your company to react swiftly in the event of a breach.

Cyber insurance

When a breach does occur, having a comprehensive incident response plan in place can mitigate the damage. This should include clear protocols for identifying and containing the breach, notifying affected clients and regulators, and communicating transparently with the public to restore trust.
Having an expert adviser to help you respond is also critical for success.

But it’s not just internal systems that pose a risk. Loan originators must also carefully vet and monitor third-party vendors who provide software or handle sensitive data. You are only as secure as your weakest partner that has access to your data. All too often, a breach occurs because of a weak link in the supply chain. Regular audits of third-party vendors’ cybersecurity practices are essential to preventing these breaches.

With the growing threat of cyberattacks, many loan originators have turned to cyber insurance, which can cover a range of expenses from legal fees and notification costs to credit monitoring services for affected clients. It can also provide financial protection in the event of business interruptions caused by certain attacks or other disruptions.

Cyber insurance has its limitations, however. Many policies include exclusions for certain types of attacks, such as state-sponsored cyberattacks or insider threats. Loan originators should thoroughly review their policies to understand what is and isn’t covered. Additionally, most policies cap the total payout, which may not fully cover the costs of a major breach or regulatory fines.

There’s also the issue of compliance requirements. Many cyber insurance policies stipulate that policyholders must maintain specific cybersecurity measures — such as multi-factor authentication or encryption. If these measures aren’t in place, insurance claims can be denied. Thus, while cyber insurance provides some level of protection, it should never be seen as a substitute for robust cybersecurity practices.

In today’s world, residential and commercial loan originators are on the frontlines of a cybersecurity battle. The stakes are high, and the consequences of a breach can be devastating. Cyberattacks can cause significant financial loss and irreparable harm to a company’s reputation.

Prevention is half the battle. By adopting a proactive approach to cybersecurity — implementing multi-factor authentication, encrypting sensitive data, training employees and regularly testing systems — loan originators can significantly reduce their risk of falling victim to cybercriminals. Additionally, reviewing third-party vendors, maintaining a robust incident response plan, and carefully selecting cyber insurance can provide added layers of protection.

Cybersecurity is not a luxury, it is a necessity for organizations today. Loan originators who don’t prioritize it risk compromising their clients’ data, their company’s reputation, and their future. Now is the time for action. The threats are real, and the consequences of inaction are too.
great to ignore.

Read the full article at Scotsman Guide.


Jeffrey Bernstein is a Director de ciberseguridad y privacidad de datos en la oficina de Servicios de Asesoría de Riesgos Director of Cybersecurity and Data Privacy at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.