notarize logo backgroundletters s m
notarize logo
The Stamp
magnifying glass icon
Subscribe to Newsletter

How Fraudsters Target Mortgage Lending

With more aspects of the mortgage lending process being completed online, lenders need to ensure cybersecurity measures are in place.
May 25, 2022
5 min

Across business and finance, dealing with cyber threats has become a regular part of life. Two years ago, researchers at Cybersecurity Ventures predicted that a new ransomware attack would occur every 11 seconds. 

Mortgage lenders can be an attractive target to cybercriminals due to the value of transactions taking place and their long lists of clients, any of whom could be compromised. While larger companies have gone to great efforts to protect their corporate security infrastructure, cyber safety on the consumer level is still "woefully inept," according to Chase Cunningham, chief strategy officer at cybersecurity firm Ericom Software. 

"We still have this issue of people not accepting that they need to make security, and the need for security, part of their everyday lives," he said. 

With flaws on the consumer side of cyber operations easy to exploit, extra vigilance is required on the part of mortgage companies to protect client information, as well as their own operations. The more attention paid to security will lead to payoffs down the road, Cunningham said. 

"There's data that proves if you have real security in place, you are able to do business quicker, better, faster, and people will be willing to do more business with you. So it's a business benefit to do security." 

Awareness and precautions go a long way toward preventing cyberattacks. Below we round up a few issues security experts said are key for lenders to keep in mind.

Phishing and identity theft are the most common types of cybercrime 

Compromised credentials and phishing are the most common methods of cyberattacks, Cunningham said. "And those are so prevalent that it's an everyday, every hour thing." 

Phishing, or transmission of emails made to look like they are from reputable businesses in order to steal victims' personal data - as well as the text-message equivalent of smishing - are a common entry point leading to theft of personal information. Once fraudsters can obtain personal credentials, that person's contacts are immediately threatened as well. 

"When they infiltrate a victim, they record everything that's going on in their browser," said Oleg Kolesnikov, vice president of threat research and detection at security analytics and operations management platform Securonix. 

"The browser has special session-related cookies, so they could impersonate the person browsing to their bank or their mortgage provider. Then, following that, they basically leverage those to apply for mortgages and as part of doing that they can impersonate the browser of the user." 

The consequences of the initial breach can lead to wire fraud, a trend that Todd Keller, chief information security officer at Cherry Creek Mortgage, has seen increase over the past few years. But it also opens the door to more serious outcomes, including ransomware attacks. 

"The bad guys get access to your system, and then, once they have a foothold on the network, they move laterally," Keller said. "They start to own other systems, find out what's happening on the network. Where's the data? Where's the crown jewels? How can I get that out?" 

The mortgage industry is particularly vulnerable to infiltration due to the common use of email for business. 

"Email continues to be ubiquitous in the mortgage industry for transacting a loan," Keller said. "So you're working with a lot of third parties - whether it's title, real estate, the borrower themselves - and a lot of that information about specifics around the loan will be communicated via email. So the bad guys realize this, and that's an easy target." 

Risk increases with more parties involved 

Apart from threats posed through their emails, third and fourth party participants within the mortgage process add an extra layer of risk, said Keller. He has seen a significant uptick in terms of outside risk to lenders and their clients over the past few years. 

"You have this component that, unless you're a developer or a Java junkie, you're not going to know what in tarnation the thing is. And you may not even know that's running in your environment," he said. 

"That would be an example of a fourth-party risk," Keller went on, illustrating the potential for confusion, "Where 'Wait a minute, you're telling me that this software component from a third-party software that I didn't even know one of our third-party vendors is using is potentially compromised, and there are active active attacks going on?'" 

Compromised personal data is bought and sold by cybercriminals on the dark web 

The dark web, only accessible through special software, is a treasure trove for cybercriminals. Its marketplace, where stolen credentials can be bought and sold, is the starting point for many fraudsters to obtain information about potential victims. Data suggests 3 billion compromised usernames and passwords are on the dark web, Cunningham said. 

Also available on the dark web are phish kits - pieces of web code that mimic a login page for a legitimate company. "Anybody who really wants to can go purchase that and register a domain name," Keller said. "And within 15-20 minutes, they can drop that on there, and lo and behold, they can start sending phishing email." 

Mortgage banks are less likely targets for ransomware attacks — but danger still lurks 

Fortunately, for a large section of the mortgage industry, malware and ransomware attacks do not pose as big a threat as in other industries thanks to the investments large banks realized they needed to take. 

"The bad guys are going after the lowest-hanging fruit, and banks often are not. They have controls in place," Kolesnikov said. 

Smaller mortgage banks are perceived by cybercriminals as easier to victimize. 

"They go downstream and look for these little mortgage providers that have five employees, twenty employees that are all remote, all digital," said Cunningham. "They go after them and work their way up." 

Remote work has created more opportunities for fraudsters 

The remote work options brought on by the coronavirus pandemic added further potential for disruption by fraudsters, especially with many employees now regularly or entirely conducting business outside the office. 

"Whatever device they use to access the network, that is an entry point into an internal network. Those devices need to be secured," said Stephen Lineberry, chief information security officer at Blue Sage Solutions, the digital loan origination platform. 

"When that device is outside, it brings all kinds of concerns," he said, adding that policies need to be set around non-company devices and included in security-awareness training. Everything from weak passwords to unfamiliar wifi networks can invite threats to a company's system. 

Every company is a target, but precautions are simple to take 

A big portion of risk can be reduced with simple precautions, such as software patches, multifactor authentication for both internal and external users and incident response plans, cybersecurity experts agreed. But not all companies take them seriously. 

Regularly testing that security processes are still working is necessary as well, as they have a tendency to degrade over time, according to Kolesnikov. It's a task that companies also overlook. 

"I think sometimes there's a false sense of security related to the fact that we have controls in place and therefore we are protected. Controls often does not mean protection. Protection has to be validated and validated on a continuous basis," he said. 

Making security part of a company's culture and fundamental training is also key to removing threats and should be taken seriously at all levels of the company. "Cybersecurity in today's age - it needs to be integrated as part of your organization - not just something you do. It needs to be touched on and looked at through the entire process," Lineberry said.

This article was written by Spencer Lee from National Mortgage News and was legally licensed through the Industry Dive Content Marketplace. Please direct all licensing questions to

learn more

Related Featured Articles

Stay updated by signing up for our newsletter

x icon