Residential Magazine

Lurking in the Shadows

Ransomware emerges as a growing threat to the mortgage industry

By Ara Aslanian

The mortgage industry may have been slow to adopt new technology, but it has quickly made up for lost time. Innovations in financial-services technology have changed every aspect of mortgage origination over the past few years. Brokers now rely on software that helps them better communicate with lenders — such as applications and websites that increase efficiency and transparency, online calculators, electronic-application marketplaces, document-generation software and customer relationship management tools.

Unfortunately, each new technology also brings new opportunities for cybercriminals, who are a rapidly growing threat to all businesses. Companies that handle large amounts of data are clearly in these hackers’ sights. The risks are even higher for small and midsized companies that may have inadequate security in place, or those that lack the IT personnel to assess and monitor risk and compliance.

Ransomware involves hackers penetrating a network with malicious software that encrypts victims’ files, systems and data, then demands a payment to release them. This tactic has been on the upswing in the past few years. The COVID-19 pandemic has made it even more common as criminals exploit the switch to remote working. 

Companies struck by these attacks paid an average ransom of about $111,000 in first-quarter 2020, a 33% increase over the previous quarter, according to cybersecurity firm Coveware. This figure doesn’t include the additional losses from downtime, IT spending to recover and secure systems, and the damage to a company’s reputation.

The good news is that there are steps your company can take to lower risk — and for less than you might expect. With proper employee education, data-protection, system-backup and recovery efforts can protect your company. These steps below will help keep your company from becoming a hacker’s latest victim.

Protect vulnerabilities

The first move every business must make is to ensure its network is up to date with antivirus- and malware-detection software. Firewalls need to be correctly configured to keep any malware-infected device that accesses your network from infecting other devices. 

Software developers and security professionals frequently release patches and updates as they discover new vulnerabilities, so be sure to keep track of developments and have a system in place to implement them. Don’t forget to regularly remind employees to update the software on their own devices to stop a virus from spreading.

Many attacks occur when criminals exploit the links between networks. This includes the interfaces between a business’s network and a vendor’s technology. Once your network is breached, criminals can install software that disables it and demand a payment to restore it. 

Before installing a vendor’s software, or connecting with their apps and plug-ins, determine what security protocols the vendor uses to protect its network. Confirm the protocols it has in place to protect the data it stores. When setting up connections to any outside software, change the default password. Limit access to systems to employees who absolutely need it. And remember to keep all passwords away from prying eyes by using a password manager such as Dashlane or LastPass. 

Watch email

Despite the increasingly sophisticated tools hackers are using, a high percentage of cybercrime still relies on email phishing schemes. Business email compromise scams cost companies $26 billion between 2016 and 2019, according to the FBI. These schemes have evolved from mass-distribution emails to “spearfishing” campaigns that are subtle and more difficult to recognize. 

Hackers may impersonate suppliers, vendors, or even colleagues or CEOs in an attempt to get an employee to open a damaging email or attachment. According to one analysis, 93% of phishing emails contain ransomware. Common tactics hackers use to get recipients to click on a dangerous link include sending phony invoices from vendors, requesting wire transfers in emails that appear to come from CEOs, or collecting data through emails that pretend to come from human resources. 

Fortunately, there is a growing number of spam- and phishing-protection tools that use the latest in artificial intelligence to detect and identify these threats. But don’t rely on them alone. Business owners need to work closely with their IT managers to stay informed about the latest phishing schemes, and they should frequently remind employees that they should not open a suspicious email or download its attachments.

Prepare employees

Many businesses weren’t ready for the rapid shift to remote working, and hackers have taken advantage of that. It is imperative to use a virtual private network, or VPN, to create a secure internet connection from any remote location to your company’s network. 

The next step is to teach your employees to use it properly. If your business hasn’t done so yet, draft clear policies and procedures for employees who work remotely. Employees should have secure passwords and avoid using public wireless systems. Remind employees to never print electronic files, or download files to an unsecured personal hard drive or thumb drive.

Hackers look for easy routes to success. Most often, that’s through employees. A robust cybersecurity program needs to incorporate technology, but that will only fully protect you if your employees are properly trained. In their hurry to complete tasks, employees often take shortcuts for convenience or expediency, and data security falls by the wayside. 

Many companies mention data security during onboarding and then it is forgotten, but it is crucial to regularly remind employees about cybercrime. Whether through company meetings or emails, frequently remind employees to back up their data, and let them know about trends in cybercrime and the latest schemes. 

Every employee should password protect everything that can be protected — phones, tablets, computers and any other devices that allow it should have a password or PIN, as well as two-step authentication. As a final step, let your staff know that your IT department or manager is monitoring their technology use, including emails. This can help them realize the importance of the issue and also protect you from internal fraud.

● ● ●

With everything that a mortgage originator has to do in a day, especially during these challenging times, keeping a business safe from cyberattacks tends to fall to the bottom of the priority list. But this is a risk no company can afford to take. Technology and cybercrime are always evolving, and business owners need to keep up to protect their companies and reputations. 

For those who can’t find the time or don’t have a trusted IT manager to take on the responsibility, it may pay to work with a specialist who can set up systems correctly and keep you in the loop about potential new threats. With criminals attacking a business with ransomware every 40 seconds, there is no time to waste. ●


  • Ara Aslanian

    Ara Aslanian is a founding partner and CEO of reevert, a software-as a service startup that provides data-backup and disaster-recovery services, and Inverselogic, a technology consulting and management company. He has more than 20 years of experience in enterprise information-technology systems and cybersecurity. Aslanian completed training in cybersecurity risk management at Harvard University. He is a member of the advisory board at LA Cyber Lab and is on the leadership council of Secure the Village, both of which monitor and counter emerging online threats.

You might also like...