Mortgage Software Solutions Blog

Business Data Security and Multi-Factor Authentication

 240_F_122590781_AfHycyjOI0sOqepiZ1DQVBYkZsH7qlRr.jpg Get an extra level of security with multi-factor authentication or MFA.

Each year, cybersecurity gets more complicated.

According to anti-virus developer Panda Security, the amount of malware created by cybercriminals is predicted to grow exponentially with each passing year.

Companies have to face the reality that a security breach has a serious impact on business.

To avoid the distress of company-wide damage control and a PR nightmare, it’s best to make sure security is in good shape.

Real Business Impact

For some businesses, consumer data handling is the main issue.

Financial institutions such as banks and mortgage companies are often targeted by hackers because they house the most personal information.

With major security failures like the Equifax breach of 2017 making international news, the finance industry’s cybersecurity worries are real.

More is at stake than information. A data breach can mean sales losses and a tarnished reputation that lasts for years.

From fines to fraud, there are monetary repercussions as well.

So what is the fastest way to tighten security on cloud-based and traditional networks?

Multi-Factor Authentication

Data breaches in single-factor authentication systems often exploit the system login credentials or passwords of users.

Multi-factor authentication or MFA is a group of security measures that go beyond the traditional password in order to correctly identify a person for system access.

MFA is becoming more prevalent in the financial industry. This kind of authentication was adopted by the Payment Card Industry Data Security Standard (PSI DSS) in February of 2017 and was listed as a standard for the mortgage industry in the State of New York in the same year.

Multiple factors mean heightened levels of information that only the user can provide.

These factors can be a number of different security measures. A “soft token” is when security software generates a one-time-use passcode sent to the user’s mobile device. This type of authentication can also be executed with a text message, phone call, or an email with a hyperlink.

Other factors run the gamut from predefined security questions to biometric identifiers like fingerprints or facial recognition software.

Only the correct user knows the information or is in the circumstance to receive the passcode, so using MFA means only the approved user is given access.

The Modern Office

Another issue with security is the modern office environment.

There are a growing number of remote workers. Employees want access to work-related applications from outside the office.

In this mobile workforce, employees are moving off of network-approved computers and onto personal or public machines. It’s up to the IT department to facilitate their work and make sure they go through a heightened level of security checks.

MFA is an authentication strategy that allows IT to deliver this level of remote access. It solves the problem of identifying recognized employees while maintaining a solid defense against intruders.

User Experience

The final consideration when implementing cybersecurity measures is user experience.

With higher scrutiny comes a higher level of annoyance by the employee at having to prove their authorization.

IT staffers need to balance security measures with user convenience.

One development that improves this balance is “adaptive” MFA. This security technology evaluates the risk factor of the user and then adapts the number of factors required for entry to the system.

An employee using a company-issued laptop at a café with an IP address across the street from headquarters is considered a low-risk access attempt. This situation does not require extra security measures.

On the other hand, if someone is trying to gain access on an unrecognized device in a location where the company doesn’t have an office (e.g. employee is attempting to do work on her tablet while vacationing in Bali) then the number of factors required will be at the maximum level. The employee jumps through some hoops, but with an understanding of why.


Data breaches are happening at the enterprise level at an alarming rate. A watchdog organization called Breach Level Index estimates that every second, an average of 57 records are stolen.

Employees are moving towards a more mobile work environment with wide geographic distribution.

For companies who handle consumer data, implementing MFA is simply one of the most effective ways to crack down on security violations and keep up with the modern workplace.

Businesses that use the MortgageWorkspace management software by ABT are protected by multi-factor authentication and a host of other cybersecurity measures. Contact us to learn more.

Topics: social networking safety phishing multi-factor authentication cloud storage mortgage business Compliance for Mortgage Companies Compliance Audit cloud-based data Housing Market Mortgage Lending

Understanding the Importance of Email Security for Mortgage Businesses


Email is a big part of communication with mortgage applicants, but it poses many security problems. Companies are torn between their need to protect confidential financial information and the customer’s desire for convenience. Customers don't want to go through extra steps, but they'll be very unhappy if intercepted information leads to identity theft. So will mortgage employees. That's why mortgage businesses need to understand why email security is so important. 

Email standards emerged very early in the history of the internet, when security wasn't a serious concern, and unfortunately, they haven't improved a lot since then.

  • Senders can trivially impersonate other people, including their email addresses.
  • Mail goes through multiple hops, providing many opportunities to read mail in transit.
  • People often don't notice what address a message comes from, and some software even hides it.
  • Unsecure connections to mail servers are common. They send passwords as plain text, allowing for their interception.

A study by Halock Security Labs found that lenders often use unsecure email practices.

  • 70% of the loan officers in the study let applicants send tax documents and other financial information as unencrypted email attachments.
  • Only 12% provided a way of sending email securely.
  • Loan officers cited customer convenience over security as the reason for using email.

The American Land Title Association has issued rules specifying that non-public personal information, in connection with real estate sales, must be transmitted securely. It recommends adopting a written privacy and information security program for protecting such information, in order to comply with federal and state laws.

Some major services, such as Gmail, encrypt mail while it's moving between their own servers, but they can't do anything about the final hop if a message goes to a different host. People have created security measures, such as PGP (Pretty Good Privacy) and GPG (GNU Privacy Guard), that attempt to provide vendor-independent, end-to-end encryption. Unfortunately, they are so clumsy to use that they have never caught on.

Passwords are another problem. Many people connect to mail servers using an unsecured connection, which means their passwords go through as plain text. If they combine this with an unsecured wi-fi connection, they're literally broadcasting their passwords for anyone nearby to steal. People who get mail through an application can and should use an SSL/TLS connection to their provider. This encrypts logins and other data in transit, and once they set it up, it simply works without the users having to do anything more.

Secure email portals use either a website, a special application, or an add-on to an existing application. They're a departure from how people normally send and receive their mail, but some are more disruptive than others. Finding an approach that provides security, without making customers unhappy, is a tricky balance.

The best solutions combine email and web technology. Email can notify people that information is waiting for them, and a password-protected web connection can deliver it securely.

ABT's DocumentGuardian™ is the safest and easiest way for your borrowers to send you NPI (non-public information) documents. Compliance auditors recommend it because unlike box-type file sharing apps, DocumentGuardian stores your borrower documents in our secure data center, not on individual computers and mobile devices. Loan oficers and borrowers access DocumentGuardian™ through a secure browser connection, so their own logins and uploads are safe.

To minimize the risk of impersonation (called "phishing"), loan officers should advise customers to look at their mail carefully, make sure it links to the usual website, and inform them if anything looks suspicious. The consistent appearance that DocumentGuardian provides will give customers confidence that the mail they receive is authentic.

Businesses that use secure methods of exchanging documents with their customers enjoy a better reputation and are safer from charges of negligence. Contact us to learn how we can help you attain this necessary level of security.

Learn More
Topics: EmailGuardian MortgageWorkSpace email security phishing

Phishing: What to Look For and What to Do When You Recognize the Bait


Phishing is a popular cyber security term that describes a certain form of computer hacking through electronic communications. As it sounds, the methods involved resemble baiting a hook and trying to persuade a person into compromising sensitive data through deception.

Businesses that store large amounts of sensitive data, such as mortgage companies, are most at-risk of these attacks. Fortunately, with a keen awareness of common phishing tactics, many of these attacks can easily be discerned. In this article, we'll discuss specific phishing methods and what to do about them when recognized.

A Brief History of Phishing

The first occurrence of phishing was in 1995 and involved the attacker acting like an AOL representative. This deceptive bait was thrown in the water with an instant message, which lured users into giving sensitive account and billing information.

The numbers show just how effective phishing can be and how quickly this problem has grown. In any given month of 2005, around 14,000 unique phishing campaigns were recorded. In only 10 years, this number increased to around 100,000 unique campaigns per month.

Methods of Phishing

  • Email
  • Phone
  • Instant messages
  • Websites


This is one of the most prevalent methods used in phishing. There are some common signs to look for, though, to help you recognize when something fishy is going on.

For starters, it’s important that you and your mortgage team are aware of potential phishing attempts. With a careful examination, these scam artist can easily be detected and reported.

A simple mistake hackers are prone to make is misspelling words and/or using bad punctuation or grammar. If these signs are detected, then a user can generally guess it's not from the professional service it claims to be. Phishing scams are effectively deceptive because they claim to be a popular company. However, a reputable company is probably not going to send a mass email with mistakes like this.

Does the email have suspicious or unexplained links in it? This link is likely a poisonous element you'll want to avoid clicking on. Malicious files that spread viruses could be on the other side of these links. Sometime, you can detect a bogus link by hovering over it to see if the address matches what's in the link. If it doesn't match the link, this is a potential sign that it's a phishing attempt.

By examining the tone and content of the email itself, a user can often detect a phishing email. If there are threatening or urgent messages, this could be a sign of a phishing attempt. An example would be something like: “If you don't act fast your entire security system will be breached by an invading virus!” This sounds silly, but because they're acting as a popular company whose service you may already be using, your fear or curiosity may encourage you to click the malicious link.

With careful observance of incoming emails, a user can detect these bogus phishing attempts and thwart their intentions. The trusted services you use are not going to act in such an unprofessional manner. If there's any question about the legitimacy of an email, always contact your service provider directly and confirm, before acting on questionable email requests.

Phone calls

These are another method of phishing. Though more obvious in some ways, because phone calls involve a human element, they can be even more deceptive. Understand that no professional service you use (or want to use) is going to call you out of the blue and ask for important and confidential information.

These phone calls basically employ the same type of tactics email phishing does. In other words, they'll claim to be trying to help resolve some issue or sell you something necessary, like a software license. These cyber criminals will use deception and fear tactics to try to gain sensitive information from the user, such as passwords or usernames.

Unsolicited phone calls like this need to be approached with caution. If something feels off about a phone call you’re having, don’t offer up any valuable information. Tell them you are busy and will call the appropriate party when you have time to talk.

Instant Messages and Texting

Phishing attempts through instant messages and texts, though not as common, can still be a threat. Through the phone or social media, instant messages and texts will generally have a link and some bogus problem they want to solve. Again, the use of deception and fear are the way they lure the user into clicking on the link in the message or offering up personal data.

These are easy to avoid and spot, yet because of the mode of communication used, users could be caught off guard. Therefore, being aware of phishing methods that involve instant messaging and text can help prevent hacking attempts.

What to Do When Detecting a Phishing Scam

If users detect any phishing scams through these methods (or any other), contacting the appropriate authorities is what to do next. For those in the U.S., contact the FTC and fill out a complaint form. For those in the UK, contact Action Fraud to report the attack. For other countries, contact your local fraud and cyber crime center to report the attempt. This will help thwart the hackers and prevent others from falling prey to their phishing attacks.

Phishing is an act of criminals who use deception and fraud to steal information from businesses and individuals for their own personal gain. Businesses like mortgage companies, are particularly vulnerable to attacks on their guarded systems. This is because they have a wealth of valuable and sensitive client data on hand. The results of a successful phishing attack can be devastating and should be guarded against through awareness and maintenance of a robust security system.

Access Business Technologies understands the sensitive nature of the mortgage businesses we serve, and for that reason, we have created DocumentGuardian™. DocumentGuardian™ provides mortgage firms with a secure data center where their borrowers’ non-public information documents are stored, instead of being stored on individual computers and devices.

This is one way ABT ensures security within our MortgageWorkSpace®—our comprehensive cloud-based platform for mortgage institutions. To learn more about cyber security and our solutions for the mortgage industry, please contact us today.

Learn More
Topics: ABT phishing