It’s every company’s worst nightmare: someone has gained access to your data and locked you out. Now they want money to restore your access, but be careful — there’s no guarantee you’ll get it back, even if you pay.
Cybersecurity experts on several panels at the MBA Technology Solutions Conference in Detroit on Monday outlined the greatest risks the mortgage industry is facing right now and what companies can do to prepare.
Among the worst things that could happen? A ransomware attack.
This extortion scheme has morphed in recent years, with individuals or companies offering ransomware-as-a-service, which puts another layer of criminality between you and your data.
“The thing about ransomware is that it pays [criminals] really well, and it’s just so much easy money,” said Thomas Dryden, CIO of Berkadia. “They aren’t harvesting data and then selling it. That kind of fraud is a lot of work compared to the minimal work of locking you out and collecting money.”
Dryden was part of a panel reviewing successful cyberattacks. In an online anonymous poll of the audience, 28% of respondents indicated they had experienced a general cybersecurity breach and it had only impacted their company, while 11% said they had experienced a breach that impacted their customers as well.
All of the panelists, which included Dryden, John-Thomas Gaietto, executive director of cybersecurity at Richey May, and moderator Alex Wood, chief information security officer at Pulte, thought the percentage was probably higher than the audience would like to admit.
For ransomware in particular, the consequences of an attack can be costly.
The attack often starts with an employee responding to a phishing scheme, the “gateway event” that leads to many different types of security breaches, Dryden said. Company software will display a ransomware message with a countdown clock, and the amount of ransom goes up as the clock winds down.
Companies then have to decide if it is better to pay to get access to their data, or try recreate the data, assuming that’s an option. But even paying the ransom isn’t a guarantee.
“In the early days of ransomware attacks, it was at least a little more ethical. With ransomware-as-a-service, they are willing to encrypt your data and just move on — it is getting getting nastier and nastier,” Dryden said.
He warned the audience that if they carried cybersecurity insurance, keeping the amount of the deductible secret was vital — otherwise the thieves will know exactly what the company's cost threshold is, and will set their ransom accordingly.
At this point in the process, the importance of secure system backups will become blindingly obvious to the affected company. Unfortunately, that hindsight often comes too late. Even companies who have been meticulous in doing backups may not be testing those backups.
“Companies think they are backing up everything, but it’s amazing how often you may uncover failure in backup activities,” Dryden said.
And sometimes the backups get encrypted, too.
In fact, company leaders may wake up one day to find they can’t even use company phones, faxes or email systems to communicate with internal staff — much less external partners — about the incident.
The other rising cybersecurity threat that the panel identified was wire fraud. Criminals gain access to the email system of a real estate agent, title company or lender and identify the date of an upcoming closing. On that date they insert themselves into the process to change the parameters of the deal — emailing borrowers or title companies to send money to a different account or changing the amount they were supposed to send.
Because the attackers first compromise the email system, they can delete sent emails so that the real company has no idea what is going on.
“Wire fraud has low overhead,” Wood said. “It’s super easy but offers huge potential returns. We are seeing that it's Realtors who tend to get compromised, especially the mom and pop shops who may not have a lot of security.”
Wood said Pulte approaches this growing problem by communicating with the buyer throughout the process about the potential hazard around the wire transfer. They not only instruct borrowers on their process but they include warnings on the disclosures about this type of fraud. If Pulte sends wire instructions by email they follow up immediately with a phone call to make sure the borrower received the right instructions and know that they should not be getting any further instructions that are different.
Gaietto said establishing these kinds of business processes for wire transfers is crucial.
“Given how risky it is, companies may just eliminate wire transfers over email altogether,” Gaietto said. “Then they can tell borrowers, ‘We won't be emailing wire instructions to you on what kind of wire or where to wire.’”
But what if the worst happens? Read our follow-up coverage to find out what the experts say you should do next.