Mortgage Software Solutions Blog

Understanding the Importance of Email Security for Mortgage Businesses


Email is a big part of communication with mortgage applicants, but it poses many security problems. Companies are torn between their need to protect confidential financial information and the customer’s desire for convenience. Customers don't want to go through extra steps, but they'll be very unhappy if intercepted information leads to identity theft. So will mortgage employees. That's why mortgage businesses need to understand why email security is so important. 

Email standards emerged very early in the history of the internet, when security wasn't a serious concern, and unfortunately, they haven't improved a lot since then.

  • Senders can trivially impersonate other people, including their email addresses.
  • Mail goes through multiple hops, providing many opportunities to read mail in transit.
  • People often don't notice what address a message comes from, and some software even hides it.
  • Unsecure connections to mail servers are common. They send passwords as plain text, allowing for their interception.

A study by Halock Security Labs found that lenders often use unsecure email practices.

  • 70% of the loan officers in the study let applicants send tax documents and other financial information as unencrypted email attachments.
  • Only 12% provided a way of sending email securely.
  • Loan officers cited customer convenience over security as the reason for using email.

The American Land Title Association has issued rules specifying that non-public personal information, in connection with real estate sales, must be transmitted securely. It recommends adopting a written privacy and information security program for protecting such information, in order to comply with federal and state laws.

Some major services, such as Gmail, encrypt mail while it's moving between their own servers, but they can't do anything about the final hop if a message goes to a different host. People have created security measures, such as PGP (Pretty Good Privacy) and GPG (GNU Privacy Guard), that attempt to provide vendor-independent, end-to-end encryption. Unfortunately, they are so clumsy to use that they have never caught on.

Passwords are another problem. Many people connect to mail servers using an unsecured connection, which means their passwords go through as plain text. If they combine this with an unsecured wi-fi connection, they're literally broadcasting their passwords for anyone nearby to steal. People who get mail through an application can and should use an SSL/TLS connection to their provider. This encrypts logins and other data in transit, and once they set it up, it simply works without the users having to do anything more.

Secure email portals use either a website, a special application, or an add-on to an existing application. They're a departure from how people normally send and receive their mail, but some are more disruptive than others. Finding an approach that provides security, without making customers unhappy, is a tricky balance.

The best solutions combine email and web technology. Email can notify people that information is waiting for them, and a password-protected web connection can deliver it securely.

ABT's DocumentGuardian™ is the safest and easiest way for your borrowers to send you NPI (non-public information) documents. Compliance auditors recommend it because unlike box-type file sharing apps, DocumentGuardian stores your borrower documents in our secure data center, not on individual computers and mobile devices. Loan oficers and borrowers access DocumentGuardian™ through a secure browser connection, so their own logins and uploads are safe.

To minimize the risk of impersonation (called "phishing"), loan officers should advise customers to look at their mail carefully, make sure it links to the usual website, and inform them if anything looks suspicious. The consistent appearance that DocumentGuardian provides will give customers confidence that the mail they receive is authentic.

Businesses that use secure methods of exchanging documents with their customers enjoy a better reputation and are safer from charges of negligence. Contact us to learn how we can help you attain this necessary level of security.

Learn More
Topics: EmailGuardian MortgageWorkSpace email security phishing

ABT's Recommended Physical Device Security


More than ever, people in the mortgage business are relying on mobile devices to stay competitive. They need to stay in touch at all times and provide quick responses to their customers. Smartphones and tablets can be taken anywhere and give users an edge to help them stay competitive.

Unfortunately, devices that are easy to carry around are easy to carry away. Thieves made off with over 2 million smartphones in 2014. It's not just the loss of the device that's the problem, but the data that's on it or that a thief can get at from it. Letting a criminal view the company's business records or send emails impersonating an employee could mean major trouble for your mortgage business.

pMobile phones also face distinctive data security risks. Protecting your mobile device involves four areas: keeping it safe from theft, preventing thieves from using it, dealing quickly with theft if it happens, and observing good physical device security practices.

1. Preventing Theft

Keeping a tablet or smartphone out of the hands of thieves simply requires exercising common sense. Here are some tips:

  • Label your device with contact information. Engraving is best, since it won't come off and makes it harder to sell.
  • Never leave a device in a car, or at least make sure it's well-hidden. Smashing a window and grabbing any loose items is too easy.
  • Never let it out of sight in a public place. Keep it in your pocket or purse when you're not using it, so you don't carelessly walk away from it. Make sure it's still on you when you leave a place where you were using it.
  • If you use it in a crowded place, be alert for pickpockets after putting it away.
  • If a stranger asks to "borrow" your phone for an important call, say no and walk away.
  • When you're charging it, make sure it's in a safe place. Leaving it on your desk at work may seem safe, but if a customer can walk by and snatch it, it's not a great choice.

Note: You need to be equally careful with USB flash drives. They're small and easy to forget.

2. Preventing Unauthorized Use

You can encrypt your device so that no one else can use it without the password. Even the FBI has trouble breaking into encrypted phones, as we've learned from the news. Infoworld offers a guide on encrypting iOS and Android devices. On Android, encryption isn't the same as password protection; make sure to enable both. Also, encrypt any flash drives that might leave the office.

Additionally, you can set the interval at which the device asks for your password; make it five minutes at the most, or require it every time you turn the phone on for maximum security. Use a password that's hard to guess; "1234" is as good as no password at all.

Good security comes in more than one layer. If someone does manage to activate your phone, you want to suffer as little damage as possible. Don't set your applications to log in automatically without a password. That may be convenient, but it can also be dangerous. Setting a single master password is fine; just make sure it's a strong password.

Keep the amount of sensitive information stored on your device to a minimum. Delete old records that you no longer need.

3. Data Security

Mobile devices face some special risks that desktop computers aren't as vulnerable to. Connecting to an unknown wi-fi hotspot can expose the device to spoofed connections and password theft. When you download an application on impulse, you might get something malicious with it.

Before you click, think about whether you really need that application and about how confident you are in its source. If you download a store's app, the store management probably has only the best of intentions, but the developer might have been sloppy and left serious security holes in it.

If It's Lost or Stolen

You can set up your phone or tablet so that you can erase it remotely if it's lost or stolen. The device has to be on the internet for you to do this, but if it isn't online when you issue the command to erase, it will erase itself the next time it goes online.

Android offers several actions you can take, so you can make sure the device is really gone before erasing it. The Android Device Manager lets you make it ring at full volume, even if you had set it to silent mode. If you just left it in your other coat, that option can save you from unnecessarily wiping your device. If it's really lost, you can perform a full reset, wiping out all your phone or tablet’s data and applications.

Apple offers a similar feature for iOS devices. You need to have an Apple ID and an iCloud account. You can check its location or make it play a sound to make sure it's really lost, and you can erase it remotely if you need to.

Report the theft promptly to the police and your employer. ABT's DeviceGuardian™ can, among many other things, help prevent data loss from stolen devices.

Final Thoughts

All this advice shouldn't scare you away from using a mobile device, but rather, it should give you confidence that you can use your mobile devices with little risk of a security breach—if you're careful and you employ the right tools.

Physical protection is one part of a secure data strategy for your mortgage business. ABT's managed cloud services keeps track of the latest information on malware, intrusion, and spyware, so that your devices stay safe. Additionally, DeviceGuardian™ can help keep your data and your devices safe, providing 24/7 security monitoring, cloud backup, and virus and malware protection. It can also remotely wipe stolen devices, when necessary.

Take good care of your devices and let the security experts at Access Business Technologies help! Please contact us for more information.

Learn More

Topics: DeviceGuardian mobile device security

Phishing: What to Look For and What to Do When You Recognize the Bait


Phishing is a popular cyber security term that describes a certain form of computer hacking through electronic communications. As it sounds, the methods involved resemble baiting a hook and trying to persuade a person into compromising sensitive data through deception.

Businesses that store large amounts of sensitive data, such as mortgage companies, are most at-risk of these attacks. Fortunately, with a keen awareness of common phishing tactics, many of these attacks can easily be discerned. In this article, we'll discuss specific phishing methods and what to do about them when recognized.

A Brief History of Phishing

The first occurrence of phishing was in 1995 and involved the attacker acting like an AOL representative. This deceptive bait was thrown in the water with an instant message, which lured users into giving sensitive account and billing information.

The numbers show just how effective phishing can be and how quickly this problem has grown. In any given month of 2005, around 14,000 unique phishing campaigns were recorded. In only 10 years, this number increased to around 100,000 unique campaigns per month.

Methods of Phishing

  • Email
  • Phone
  • Instant messages
  • Websites


This is one of the most prevalent methods used in phishing. There are some common signs to look for, though, to help you recognize when something fishy is going on.

For starters, it’s important that you and your mortgage team are aware of potential phishing attempts. With a careful examination, these scam artist can easily be detected and reported.

A simple mistake hackers are prone to make is misspelling words and/or using bad punctuation or grammar. If these signs are detected, then a user can generally guess it's not from the professional service it claims to be. Phishing scams are effectively deceptive because they claim to be a popular company. However, a reputable company is probably not going to send a mass email with mistakes like this.

Does the email have suspicious or unexplained links in it? This link is likely a poisonous element you'll want to avoid clicking on. Malicious files that spread viruses could be on the other side of these links. Sometime, you can detect a bogus link by hovering over it to see if the address matches what's in the link. If it doesn't match the link, this is a potential sign that it's a phishing attempt.

By examining the tone and content of the email itself, a user can often detect a phishing email. If there are threatening or urgent messages, this could be a sign of a phishing attempt. An example would be something like: “If you don't act fast your entire security system will be breached by an invading virus!” This sounds silly, but because they're acting as a popular company whose service you may already be using, your fear or curiosity may encourage you to click the malicious link.

With careful observance of incoming emails, a user can detect these bogus phishing attempts and thwart their intentions. The trusted services you use are not going to act in such an unprofessional manner. If there's any question about the legitimacy of an email, always contact your service provider directly and confirm, before acting on questionable email requests.

Phone calls

These are another method of phishing. Though more obvious in some ways, because phone calls involve a human element, they can be even more deceptive. Understand that no professional service you use (or want to use) is going to call you out of the blue and ask for important and confidential information.

These phone calls basically employ the same type of tactics email phishing does. In other words, they'll claim to be trying to help resolve some issue or sell you something necessary, like a software license. These cyber criminals will use deception and fear tactics to try to gain sensitive information from the user, such as passwords or usernames.

Unsolicited phone calls like this need to be approached with caution. If something feels off about a phone call you’re having, don’t offer up any valuable information. Tell them you are busy and will call the appropriate party when you have time to talk.

Instant Messages and Texting

Phishing attempts through instant messages and texts, though not as common, can still be a threat. Through the phone or social media, instant messages and texts will generally have a link and some bogus problem they want to solve. Again, the use of deception and fear are the way they lure the user into clicking on the link in the message or offering up personal data.

These are easy to avoid and spot, yet because of the mode of communication used, users could be caught off guard. Therefore, being aware of phishing methods that involve instant messaging and text can help prevent hacking attempts.

What to Do When Detecting a Phishing Scam

If users detect any phishing scams through these methods (or any other), contacting the appropriate authorities is what to do next. For those in the U.S., contact the FTC and fill out a complaint form. For those in the UK, contact Action Fraud to report the attack. For other countries, contact your local fraud and cyber crime center to report the attempt. This will help thwart the hackers and prevent others from falling prey to their phishing attacks.

Phishing is an act of criminals who use deception and fraud to steal information from businesses and individuals for their own personal gain. Businesses like mortgage companies, are particularly vulnerable to attacks on their guarded systems. This is because they have a wealth of valuable and sensitive client data on hand. The results of a successful phishing attack can be devastating and should be guarded against through awareness and maintenance of a robust security system.

Access Business Technologies understands the sensitive nature of the mortgage businesses we serve, and for that reason, we have created DocumentGuardian™. DocumentGuardian™ provides mortgage firms with a secure data center where their borrowers’ non-public information documents are stored, instead of being stored on individual computers and devices.

This is one way ABT ensures security within our MortgageWorkSpace®—our comprehensive cloud-based platform for mortgage institutions. To learn more about cyber security and our solutions for the mortgage industry, please contact us today.

Learn More
Topics: ABT phishing

How the Cloud is Becoming the New Normal for Businesses in 2016


Around 1977, the term “cloud” was used to describe the networks of computing equipment in the ARPANET, then the CSNET in 1981, and then the Internet later on. While the concept of cloud computing has been around for some time, not until today (2016) has it become so relevant in everyday life. With that in mind, let's examine how the cloud is becoming the new normal for businesses in 2016.

Cloud Computing

There are some distinct advantages the cloud provides small and large businesses alike, such as data disaster back-up, cybersecurity, more capability for data processing and storage, outsourced IT services, flexible access, and general inter-connectivity between business systems as a whole. Businesses that are embracing cloud computing fully are even going paperless in their efforts to streamline and create more efficient business processes.

What's really accelerated cloud computing is the rise of mobile technology and wider Internet access to the masses, both in America and around the world. Software solutions and mobile apps are fueling the innovative fires, while businesses are trying to adapt and respond to evolving customer expectations.

The Numbers Indicate a Growing Cloud Trend

Looking at research from the IDC, we find the numbers correlate with the growing cloud buzz in the business world today. For instance, in 2015 only 8 percent of businesses surveyed said they weren't interested in the cloud and had no plans to get on board. This percentage shrunk from 2014, when 21 percent of businesses said they weren't interested.

The majority of businesses are evaluating, deploying, and embracing the cloud in some form or another in their processes. Most of them are using a hybrid mix of in-house IT systems and cloud computing.

When it comes to cloud maturity, only 9 percent of businesses thought of themselves as mature, while 45 percent expected to be in the next couple years. So, although only a small percentage of businesses are fully optimized with cloud computing, many others are forging ahead with plans to do so in the future.

Another telling figure analysts predict is that, over the next six years, almost 90 percent of new spending on the Internet and communication technologies will be on cloud-based services. Considering this is a $5 trillion global business, the implications denote a serious trend toward the cloud.

Mobile Technologies

Tablets, smartphones, and other mobile devices are the largest factor in the acceleration of cloud migration for business processes. Individual consumers and B2B customers alike, are using mobile devices to purchase, connect socially, access the Internet, and conduct business. The number of mobile apps is increasing, along with their sophistication in UX design and affordability.

While ten years ago, businesses (in all industries) saw the benefits of having an optimized web presence, now they're seeing the necessity to have a custom mobile app. Innovative software development groups are rising up to meet this growing demand. In fact, outsourcing is becoming the norm in software development, as well as migrating business processes to advanced SaaS solutions.

Mobile technologies and wider accessibility to the Internet are fueling the change, giving businesses more efficient ways to manage and connect with customers. For instance, using the cloud allows 24/7 access, from anywhere, and from any device – anywhere there's Internet access. Also, rapidly advancing mobile devices now have the ability to do as much as most laptops and are becoming increasingly common in the workplace.

Cybersecurity and Integration

Cloud computing is also encouraging businesses to migrate their current systems into the cloud for improved cybersecurity. Cybercrime is on the rise, but fortunately, sophisticated and innovative SaaS solutions are more capable than ever of managing and preventing cyber threats. Big data analysis and advanced software (with automation in compliance, risk detection, and management) are solving security risks at an affordable price.

Cybersecurity is also enhanced using SaaS companies, because they have the ability to integrate all business systems into a central location. Integrated ERP, CRM, WMS, and other holistic hybrid software and hardware systems are managed with sophisticated and advanced technology through a central, cloud-based interface. Factor in the improved security monitoring and management provided by cloud systems and the advantages to making a switch to the cloud become clear.

While there are many other benefits of cloud computing not touched on in detail here, this article should offer enough evidence to prove how the cloud is becoming the new normal for businesses in 2016. The benefits are many, while the drawbacks are confined to merely a fear of the unknown.

Access Business Technologies is an SaaS mortgage cloud company that is highly skilled in protecting and managing your mortgage systems in the cloud. We've designed our cloud SaaS specifically for businesses in the mortgage industry and offer companies a seamless way to migrate to the cloud with confidence. To learn more about our MortgageWorkSpace™, please contact us today.

Get Started

Topics: ABT Cloud Computing

ABT Security Recommendations: Social Networking Safety in the Workplace

Businesses that deal with finances and credit face specific social networking safety concerns that many other businesses do not. From threats to family members in hostage situations to the potential for irrevocable public relations harm, mortgage businesses must consider carefully how to address the security issues that may arise from employee social media use.


Train Personnel to Protect Information

The threats to family members mentioned above happened at a mock robbery a consultant performed for a credit union. The police officers, who were acting as robbers, gathered public information from people's social media pages and used it to threaten a teller's husband. While this was done to prevent actual robberies from taking place, simple information regarding places of employment was enough to give potential thieves the upper hand.

Train your personnel to protect their personal information by removing private data from their social media profiles. Educate them on the various risks of social media use and what the best practices are for using various social media platforms. Further, your company should institute and enforce policies that ensure your employees are taking the proper precautions.

Protecting Accounts

Education is essential to protecting your business from potential scams, hackers, thieves, and other malicious agents who desire to use information from social media. Privacy settings are different on every social media platform, and employees must understand the risk of exposing certain types of information on their personal social media accounts.

Posting something on social media is akin to shouting something out loud in the middle of a crowded room. If the information is something you wouldn't shout in the middle of a food court, do not post it. This is especially true for public settings, on sites like Facebook or the very real public forum of Twitter. Employees need to be educated on the long term consequences of things they post online and the potential backlash it can have on your company’s reputation. Often things go viral so quickly that a mistake cannot be taken back. Before you know it, it has already been screen captured and re-shared.

Avoiding Scams

While most employees are used to the idea of the Nigerian prince scam, sophisticated scammers attempt to perpetuate scams, without ever interacting with their targeted victim. Social networks provide answers to security questions (What is your mother's maiden name?) to people who know how to glean data.

In order to prevent much of the risk of scams associated with social networks, employees need to limit the amount of public information they have accessible on social networks. A good recommendation is to require that employees do not list their place of work on personal social network profiles, since this is a part of the profile that is usually public.

Public Nature of Social Networks

Employees need to know and understand social networks, how to control privacy settings, and the nature of various networks. Some networks allow you to control who sees what, while many social media sites default to public viewing of everything, with only limited control of privacy via direct messages.

Employees also need to be aware of screenshot technology, forwarding functions and other systems for making private communication public. Just because something was sent in a direct message on Facebook or Twitter, that does not mean that it cannot be made public later. Employees should never conduct any public or private discussion of the business's affairs over social media.

Limited but Accessible

While the risks associated with social media sites makes some IT personnel want to block them entirely from a workplace, this only increases risks to the business. Employees will often seek ways around an IT security policy that is perceived as unjust and inflexible. This can potentially breach firewall privacy, introduce added distractions to the workplace, and encourage employees to access sites through less-than-trusted means.

While the many advances in technology increase risks to businesses, these risks can be managed with the right information, education, and company policies. Access Business Technologies uses DeviceGuardian™,  a tool that is easily installed on any existing or new device, allowing ABT to securely manage all of your mortgage software, data, and users.  DeviceGuardian™ makes all of your devices compliant with Consumer Financial Protection Bureau (CFPB) regulations. Prevent Social Networking scams with DeviceGuardian™ and control whitelisted and blacklisted websites. For more information about mortgage business and IT safety, mobile apps, and remote desktops, please contact us today.

Learn More

Topics: ABT social networking safety