The mortgage industry still faces the same cybersecurity threats as it did over the last 10 years. In turn, efforts to strengthen infrastructure and security are becoming even more important, experts emphasized on Monday at the Mortgage Bankers Association (MBA) Technology Solutions Conference Expo in San Jose, California.
Phishing — a form of social engineering where attackers deceive people into revealing sensitive information installing malware — still remains one of the most common ways to get initial access to customer or vendor data, Ariel Manalo, chief information security officer and vice president of infrastructure at Evergreen Home Loans, said.
“I’d say most recently we’re seeing a lot more impersonation, specifically anecdotally, to our environment, where they’re text messaging different employees, impersonating senior executives with the good old gift card scam (…). Emails are flooding in too, and we’re seeing a lot of uptick on those,” Manalo said.
Last year in particular, a common trend was spreading ransomware through USB drives, Evan Bredahl, customer solutions engineer at Red Canary, said.
“The threat actors (…) bought a large bulk amount of USB drives, and put the malware underneath (…). America has been heavily affected with these USB drives. How many times have you been to a vendor trade show and they give out USBs? We don’t really know what the supply chain is there,” Bredahl said.
Dubbed ‘Raspberry Robin,’ Red Canary found that about 4% of its customers were affected through this activity in 2022, which the company initially discovered in May of last year.
In July, Microsoft observed hackers delivering a prolific public ransomware, called SocGholish. Both were among the top 10 threats affecting Red Canary customers last year.
“It’s definitely been in an uptick where they’re making money. It’s profitable for them. They’ve monetized it; they have basically a whole entire business model. You want to hire hackers? You want to hire distributed denial-of-service (DDoS) people? You want ransomware? It’s out there, go out there and buy it, right? So it’s available; they’re making money,” Manalo said.
Amid the growing risk of security threats, government-sponsored enterprises (GSEs) such as Freddie Mac, are making security mandatory, Manalo noted.
“Especially on Freddie Mac’s regulation, it basically says if you’re not compliant, we can terminate your access to any or all of Freddie Mac’s stuff (…). That makes security mandatory,” Manalo said.
In October, Freddie Mac issued Bulletin 2021-31, updating its Seller/Servicer and Third Party risk mitigation requirements.
The bulletin includes language that makes Freddie Mac a third-party beneficiary to vendors and third-party service providers of Freddie sellers and servicers. It also includes notification requirements with direct reporting to Freddie for certain events, such as a security incidents.
As the mortgage industry becomes more technologically interconnected, companies are looking to spend more on IT security and infrastructure.
About 53% of organizations will increase IT spending in 2023, and 65% of organizations plan to increase cybersecurity spending this year, according to CSO Magazine.
“I’d say stay curious, stay diligent, persistent and what that means is curiosity. The bad guys are creative. There’s this thing where defenders have to be right every single time,” Manalo said.