<img src="http://www.mon-com-net.com/58465.png" style="display:none;">

Mortgage Software Solutions Blog

Understanding the Importance of Email Security for Mortgage Businesses

email_security_.jpg

Email is a big part of communication with mortgage applicants, but it poses many security problems. Companies are torn between their need to protect confidential financial information and the customer’s desire for convenience. Customers don't want to go through extra steps, but they'll be very unhappy if intercepted information leads to identity theft. So will mortgage employees. That's why mortgage businesses need to understand why email security is so important. 

Email standards emerged very early in the history of the internet, when security wasn't a serious concern, and unfortunately, they haven't improved a lot since then.

  • Senders can trivially impersonate other people, including their email addresses.
  • Mail goes through multiple hops, providing many opportunities to read mail in transit.
  • People often don't notice what address a message comes from, and some software even hides it.
  • Unsecure connections to mail servers are common. They send passwords as plain text, allowing for their interception.

A study by Halock Security Labs found that lenders often use unsecure email practices.

  • 70% of the loan officers in the study let applicants send tax documents and other financial information as unencrypted email attachments.
  • Only 12% provided a way of sending email securely.
  • Loan officers cited customer convenience over security as the reason for using email.

The American Land Title Association has issued rules specifying that non-public personal information, in connection with real estate sales, must be transmitted securely. It recommends adopting a written privacy and information security program for protecting such information, in order to comply with federal and state laws.

Some major services, such as Gmail, encrypt mail while it's moving between their own servers, but they can't do anything about the final hop if a message goes to a different host. People have created security measures, such as PGP (Pretty Good Privacy) and GPG (GNU Privacy Guard), that attempt to provide vendor-independent, end-to-end encryption. Unfortunately, they are so clumsy to use that they have never caught on.

Passwords are another problem. Many people connect to mail servers using an unsecured connection, which means their passwords go through as plain text. If they combine this with an unsecured wi-fi connection, they're literally broadcasting their passwords for anyone nearby to steal. People who get mail through an application can and should use an SSL/TLS connection to their provider. This encrypts logins and other data in transit, and once they set it up, it simply works without the users having to do anything more.

Secure email portals use either a website, a special application, or an add-on to an existing application. They're a departure from how people normally send and receive their mail, but some are more disruptive than others. Finding an approach that provides security, without making customers unhappy, is a tricky balance.

The best solutions combine email and web technology. Email can notify people that information is waiting for them, and a password-protected web connection can deliver it securely.

ABT's DocumentGuardian™ is the safest and easiest way for your borrowers to send you NPI (non-public information) documents. Compliance auditors recommend it because unlike box-type file sharing apps, DocumentGuardian stores your borrower documents in our secure data center, not on individual computers and mobile devices. Loan oficers and borrowers access DocumentGuardian™ through a secure browser connection, so their own logins and uploads are safe.

To minimize the risk of impersonation (called "phishing"), loan officers should advise customers to look at their mail carefully, make sure it links to the usual website, and inform them if anything looks suspicious. The consistent appearance that DocumentGuardian provides will give customers confidence that the mail they receive is authentic.

Businesses that use secure methods of exchanging documents with their customers enjoy a better reputation and are safer from charges of negligence. Contact us to learn how we can help you attain this necessary level of security.

Learn More
Topics: EmailGuardian MortgageWorkSpace email security phishing

Phishing: What to Look For and What to Do When You Recognize the Bait

ABT-Security-Recommendations-Phishing

Phishing is a popular cyber security term that describes a certain form of computer hacking through electronic communications. As it sounds, the methods involved resemble baiting a hook and trying to persuade a person into compromising sensitive data through deception.

Businesses that store large amounts of sensitive data, such as mortgage companies, are most at-risk of these attacks. Fortunately, with a keen awareness of common phishing tactics, many of these attacks can easily be discerned. In this article, we'll discuss specific phishing methods and what to do about them when recognized.

A Brief History of Phishing

The first occurrence of phishing was in 1995 and involved the attacker acting like an AOL representative. This deceptive bait was thrown in the water with an instant message, which lured users into giving sensitive account and billing information.

The numbers show just how effective phishing can be and how quickly this problem has grown. In any given month of 2005, around 14,000 unique phishing campaigns were recorded. In only 10 years, this number increased to around 100,000 unique campaigns per month.

Methods of Phishing

  • Email
  • Phone
  • Instant messages
  • Websites

Email

This is one of the most prevalent methods used in phishing. There are some common signs to look for, though, to help you recognize when something fishy is going on.

For starters, it’s important that you and your mortgage team are aware of potential phishing attempts. With a careful examination, these scam artist can easily be detected and reported.

A simple mistake hackers are prone to make is misspelling words and/or using bad punctuation or grammar. If these signs are detected, then a user can generally guess it's not from the professional service it claims to be. Phishing scams are effectively deceptive because they claim to be a popular company. However, a reputable company is probably not going to send a mass email with mistakes like this.

Does the email have suspicious or unexplained links in it? This link is likely a poisonous element you'll want to avoid clicking on. Malicious files that spread viruses could be on the other side of these links. Sometime, you can detect a bogus link by hovering over it to see if the address matches what's in the link. If it doesn't match the link, this is a potential sign that it's a phishing attempt.

By examining the tone and content of the email itself, a user can often detect a phishing email. If there are threatening or urgent messages, this could be a sign of a phishing attempt. An example would be something like: “If you don't act fast your entire security system will be breached by an invading virus!” This sounds silly, but because they're acting as a popular company whose service you may already be using, your fear or curiosity may encourage you to click the malicious link.

With careful observance of incoming emails, a user can detect these bogus phishing attempts and thwart their intentions. The trusted services you use are not going to act in such an unprofessional manner. If there's any question about the legitimacy of an email, always contact your service provider directly and confirm, before acting on questionable email requests.

Phone calls

These are another method of phishing. Though more obvious in some ways, because phone calls involve a human element, they can be even more deceptive. Understand that no professional service you use (or want to use) is going to call you out of the blue and ask for important and confidential information.

These phone calls basically employ the same type of tactics email phishing does. In other words, they'll claim to be trying to help resolve some issue or sell you something necessary, like a software license. These cyber criminals will use deception and fear tactics to try to gain sensitive information from the user, such as passwords or usernames.

Unsolicited phone calls like this need to be approached with caution. If something feels off about a phone call you’re having, don’t offer up any valuable information. Tell them you are busy and will call the appropriate party when you have time to talk.

Instant Messages and Texting

Phishing attempts through instant messages and texts, though not as common, can still be a threat. Through the phone or social media, instant messages and texts will generally have a link and some bogus problem they want to solve. Again, the use of deception and fear are the way they lure the user into clicking on the link in the message or offering up personal data.

These are easy to avoid and spot, yet because of the mode of communication used, users could be caught off guard. Therefore, being aware of phishing methods that involve instant messaging and text can help prevent hacking attempts.

What to Do When Detecting a Phishing Scam

If users detect any phishing scams through these methods (or any other), contacting the appropriate authorities is what to do next. For those in the U.S., contact the FTC and fill out a complaint form. For those in the UK, contact Action Fraud to report the attack. For other countries, contact your local fraud and cyber crime center to report the attempt. This will help thwart the hackers and prevent others from falling prey to their phishing attacks.

Phishing is an act of criminals who use deception and fraud to steal information from businesses and individuals for their own personal gain. Businesses like mortgage companies, are particularly vulnerable to attacks on their guarded systems. This is because they have a wealth of valuable and sensitive client data on hand. The results of a successful phishing attack can be devastating and should be guarded against through awareness and maintenance of a robust security system.

Access Business Technologies understands the sensitive nature of the mortgage businesses we serve, and for that reason, we have created DocumentGuardian™. DocumentGuardian™ provides mortgage firms with a secure data center where their borrowers’ non-public information documents are stored, instead of being stored on individual computers and devices.

This is one way ABT ensures security within our MortgageWorkSpace®—our comprehensive cloud-based platform for mortgage institutions. To learn more about cyber security and our solutions for the mortgage industry, please contact us today.

Learn More
Topics: ABT phishing