The mortgage industry still faces the same cybersecurity threats it has in the last 10 years. In turn, efforts to strengthen infrastructure and security are increasingly important, experts emphasized Monday at the Mortgage Bankers Association (MBA) Expo at the Technology Solutions Conference in San Jose, California.
Phishing, a form of social engineering in which attackers trick people into revealing sensitive information by installing malware, remains one of the most common ways to gain initial access to customer or supplier data, Ariel Manalo, director of information security and vice president of infrastructure at Evergreen Mortgage Loanssaying.
“I would say more recently we are seeing a lot more impersonation, specifically anecdotally, in our environment, where they are texting different employees, posing as senior executives with the old gift card scam…. Emails are also flooding, and we are seeing a huge increase in them,” Manalo said.
Last year in particular, a common trend was the spread of ransomware via USB drives, Evan Bredahl, Customer Solutions Engineer at red canarysaying.
“Threat actors (…) bought a large number of USB drives and put the malware underneath (…). The United States has been hit hard with these USB drives. How many times have you been to a vendor trade show and they hand out USBs? We don’t really know what the supply chain is there,” Bredahl said.
Dubbed the ‘Raspberry Robin’, Red Canary found that around 4% of its customers were affected by this activity in 2022, which the company initially discovered in May of last year.
In July, Microsoft observed hackers delivering prolific public ransomware, called SocGholish. Both were among the top 10 threats affecting Red Canary customers last year.
“There has definitely been an uptick where they are making money. It is profitable for them. They have monetized it; they basically have a complete business model. Do you want to hire hackers? Want to hire Distributed Denial of Service (DDoS) staff? Do you want ransomware? It’s out there, go out and buy it, right? So it’s available; they are making money,” Manalo said.
Amid the growing risk of security threats, government-sponsored enterprises (GSEs) such as freddy macthey are making security mandatory, Manalo said.
“Especially in the Freddie Mac regulation, it basically says that if you don’t comply, we can terminate your access to any or all of the Freddie Mac stuff (…). That makes security mandatory,” Manalo said.
In October, Freddie Mac published Newsletter 2021-31updating its risk mitigation requirements for Sellers/Managers and Third Parties.
The newsletter includes language that makes Freddie Mac a third-party beneficiary of vendors and third-party service providers of Freddie’s vendors and administrators. It also includes notification requirements with direct reports to Freddie for certain events, such as security incidents.
As the mortgage industry becomes more technologically interconnected, companies are looking to spend more on security and IT infrastructure.
Some 53% of organizations will increase IT spending by 2023, and 65% of organizations plan to increase cybersecurity spending this year, according to CSO Magazine.
“I would say stay curious, diligent, persistent, and what that means is curiosity. The bad guys are creative. There is something in which the defenders always have to get it right”, said Manalo.
