Recent cyberattacks against national mortgage lenders and title insurance companies serve as a reminder that real estate-related firms have become major targets of online criminals due to the sensitive data they possess and the large sums of money they deal with on a routine basis.
In past years, much attention has been paid to cyberattacks launched against a wide range of businesses, from healthcare institutions to retail stores that possess all sorts of sensitive data that can be used by criminals to steal identities, money and other valuables.
Financial institutions have long been the target of cybercriminals as well, including banks, mortgage lenders and title insurance companies engaged in large real-estate financial transactions.
That was evident in recent months by cyberattacks against mortgage lenders LoanDepot and Mr. Cooper and title insurance companies First American and Fidelity National Financial.
Millions of customers’ data was stolen during those cyber-breaches. In the LoanDepot case, hackers demanded ransom in exchange for key corporate data that they had locked down. And the Mr. Cooper case has already spawned class-action lawsuits.
Locally, bankers, regulators and industry consultants say they’re seeing no let-up in the cyber threats to computer systems. If anything, attacks are on the rise despite extensive and sophisticated cybersecurity measures implemented by industry players.
“It’s really increasing,” Meaghan Lally-McGurl, chief information and security officer at Enterprise Bank, said of cyberattacks in general. “Every day, it’s something different. New things keep coming up, technologies such as AI.”
Mortgage Data a Treasure Trove
Enterprise Bank, which has eight branches in New Hampshire, annually spends “millions of dollars” protecting its far-flung computer system against hackers.
“We take this very seriously,” said Lally-McGurl, noting her bank regularly spends large sums on security applications and education programs, as well as on insurance and legal issues associated with cybersecurity.
As for hackers targeting mortgage-related data, Lally-McGurl said it’s all about the large amount of funds involved.
“It’s where the money is,” she said, echoing the famous Willie Sutton line about why he robbed banks.
“As a financial institution, we’re definitely a target,” Lally-McGurl said. “I don’t see the [threat] fading anytime soon.”
Robert Siciliano, a cybersecurity awareness expert who has worked with a number of New Hampshire real estate officials over the years, said the real-estate industry has made progress in recent years in shoring up its cybersecurity defenses – but more work is needed.
“Agents are not really getting the training they need to protect their data,” said Siciliano, whose security programs are recommended by the New Hampshire Association of Realtors.
Real Estate Agents at Risk
He said there are two types of cyber-related scams that he regularly sees in real estate.
The first is a variation of the old “I have a bridge to sell you” con job: the “vacant land scam,” in which criminals put up for sale large tracts of unused land, often forests or overgrown fields owned by out-of-state people, that they don’t own.
Unwitting potential buyers, real estate agents and even attorneys then get duped into conducting large financial transactions with the scammers via bogus online accounts, said Siciliano.
The second scam is straight-forward “mortgage-closing wire fraud,” in which hackers obtain access to email accounts, monitor a real estate negotiation process and then at the right moment provide false wiring instructions to buyers to make final payments, Siciliano said.
“It’s getting worse and worse,” he said of wire-fraud schemes.
As for recent attacks on mortgage lenders, mortgage-related data has become a “very attractive target” precisely because lenders possess the “most sensitive of sensitive” information, from Social Security numbers to bank account info, he said.
In many cases, real estate cyber-scams could have been prevented via simple “two-factor authentication” procedures, which often include use of a password and text-code verification in order to protect cyber accounts, he said.
Siciliano added he’s not surprised when he hears about cyberattacks against real-estate related firms, including mortgage and title-insurance companies, big and small.
“Security is often not a priority for some of them,” he said.
State Regulators Watchful, Too
There are a number of federal and state laws and rules requiring financial institutions to protect customers’ data.
In particular, the FTC’s “Safeguards Rule” specifically requires “non-banking financial institutions, such as mortgage brokers, motor vehicle dealers and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.”
Last October, the FTC approved an amendment to the Safeguards Rule that tightened reporting requirements when certain data breaches and other security events occur.
In New Hampshire, the state’s financial-industry oversight agency is also involved with cybersecurity matters confronting institutions.
“The New Hampshire Banking Department carefully monitors all reports of cybersecurity breaches,” New Hampshire Banking Commissioner Emelia Galdieri said in a statement to the Registry Review.
“Under [state law], entities licensed or chartered by the Department are required to notify the Department of any security breach. Additionally, the Department examines banks and credit unions for safe and sound operations as well as compliance with laws, rules, and regulations. Banks and credit unions are expected to monitor cybersecurity risks as part of ensuring safe and sound operations.”
In addition to monitoring reports of cybersecurity breaches, Galdieri said that the department “plans to review and implement” the Conference of State Bank Supervisors (‘CSBS’) Cybersecurity Examination Program across all financial entity types by the end of 2025.”
Galdieri added: “All cyberattacks, regardless of the information obtained, are concerning.”
