As artificial intelligence improves, the
"The next novel type of attack that's AI enabled hasn't happened yet," said Chris Tammen, solutions marketer at identity and data security software firm Entrust, during a panel at the Mortgage Bankers Association's Secondary and Capital Markets Conference in New York.
"AI is making the guys that were at the bottom of the pole do things better and faster, and it's making the skilled adversaries — the guys at the top of the food chain— just do things that much quicker, that much faster," he added, echoing sentiment heard across the cybersecurity industry.
Today, risks coming from impersonation and third-party vendor weaknesses are already key vulnerabilities, the panelists said. But there are tools to prevent such attacks and updated guidance from leading government-sponsored enterprise Fannie Mae to encourage best practices should be released later this year.
Where cyber criminals are noticeably "sophisticated" in their ability to commit fraud today is via social engineering, according to Fannie Mae chief information security officer Chris Porter.
"This is where you're tricking a person into doing something that they wouldn't otherwise be able to do," he said.
Perpetrators have successfully found methods and the required data to pass themselves off as a company employee, with enough knowledge to convince colleagues to reset passwords, effectively circumventing authentication processes in place. The process taken to get to that point involves obtaining access to private cell phone numbers and rerouting calls, thereby throwing the door wide open to criminals to internal systems.
"Now that particular piece of authenticating who they are isn't working. They've been pretty prolific with this. That particular actor group has hit multiple industries and various phases over the last year," Porter said.
With several different parties involved in home sales transactions, any business with a stake in them, as well as the vendors they might employ, can serve as the conduit to cyber fraud. Some of the companies hit by cyber hacks in the past two years attributed holes in
"We've got mortgage bankers, Realtors and title companies and everybody else involved. It's just a very complex system. And so I think that's what keeps it very difficult for most folks," according to Tammen.
To encourage the industry to pay attention to best practices around cybersecurity, Fannie Mae will update its selling guide later this year to address a full range of issues, including incident notification
"I think the threat of a cyber attack that can take down your systems for multiple days at a time really increases the need to have better business resiliency due to a cyber attack," Porter said.
Although some information about security programs and data protection pieces can already be found in the guide, certain important topics weren't covered at all, Porter said.
"We're not prescribing the level of detail of what companies need to do, but we do want to make sure that those requirements are consistent across all of those lenders that are out there."
Some protections companies can currently find to help them combat different forms of fraud are free or low-cost tools, such as self-assessment tests, that already exist in the market, panelists noted.
The tests help financial firms gauge their preparedness, particularly against ransomware attacks, a crime the mortgage industry has
First rolled out for banks in 2020 by the Conference Of State Bank Supervisors, a new version was released late last year and made available on its website. Some state regulators already require their banks to take the assessment.
At the same time, a similar test offered to nonbank institutions, including mortgage and title businesses, is currently being updated and expected to be rolled out this summer. The updates were necessary as risks are constantly changing, according to Brad Robinson, senior director, cybersecurity policy and supervision at CSBS.
"Over the last two or three years, we've seen threat-actor behaviors get a lot more sophisticated, a lot crazier," he said.
By design, the tool offers no score matrix. "There's always room for improvement in every single one of our organizations, and we would rather an organization take the time to fill out those 20 questions and talk about the results rather than — 'Here's the score matrix. We did fine,'" Robinson said.
But even while mortgage and real estate industries might stand out as potential prime targets for fraud due to the complexity and amount of their transactions, they might take some comfort that cyber criminals do not appear to have them specifically in their crosshairs, despite the frequency of events, Porter said. Instead, criminals look at the landscape of financial services as a possible gold mine, searching for the weak links.
"It does not appear that the mortgage industry itself is explicitly being targeted. It's more of targets of opportunity within the industry," he said.
