Data Breaches from Email Phishing Scams Still Rocking Mortgage Industry: WEI Mortgage latest victim.
Just today the industry learned that WEI Mortgage has discovered a data breach from an email phishing scam last Fall that appears to have exposed loan file information and borrower personal identifying data such as Social Security numbers to outside parties.
Back in October 2016 I wrote that Wells Fargo Bank and the Federal Bureau of Investigation (FBI) had issued separate alerts throughout the industry regarding settlement agent wire fraud. The reports provided details of a widespread scam whereby criminals are hacking attorney and title agent email addresses and changing wire instructions prior to closing. When the new instructions are not validated the criminals make off with the mortgage proceeds. Despite these warning, this crime scheme is spreading as title agents, lenders, attorneys and the consumers they serve are finding out to their great harm. WEI is only the latest victim.
According to Wikipedia, Phishing is “the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.”
Although the FTC, through the Graham-Leach-Bliley Act, and the Consumer Financial Protection Bureau (CFPB) have broadcast the need for data security and privacy measures to protect consumer non-public, personal information (NPPI), many banks either are unable or unwilling to implement the steps required to root out and block criminal enterprises in the US and overseas who are busy hacking into email accounts.
Several incidents around the country in the past year have reflected a similar theme. Hackers accessed a lender’s email, either through a borrower’s address, a loan officer using a personal email domain not protected by a lender’s network, or an attorney’s email. The scammers then sent an email, either to the title agent, attorney or to the closing department of the lender, including revised wiring instructions. The wires were then sent to the criminal’s bank and not the intended recipient. In one case in Florida a title company is accused of neglecting to conduct appropriate internal data security measures after it received a bogus wire instruction and sent it off to a consumer who then wired the seller’s proceeds to someone else. With the money long gone, the seller sought recovery against the agency and the buyer for their alleged negligence.
Affirmative measures to combat this crime are being implemented by many in the industry. For example many lenders are taking an extra step and checking the ABA routing number and bank account number with the Federal Reserve website to verify that the account is actually at the bank indicated. Others are sending a verification of trust account to the settlement agent’s bank to verify that the account is truly a trust account in the name and for the business of the title agent, attorney or other closing professional.
Most title agents are now sending lenders and attorneys their title reports with cover letters containing language in red or bold black print with instructions such as: We no longer send wiring instruction by email, please call our offices to verify the proper bank information!
Phishing is not a new problem. I have located articles dating back to 2005 warning consumers and lenders about email phishing schemes designed to access and steal NPPI. It is clear that this is a serious problem that is getting more serious as technology has advanced and criminals have become more resourceful and bold.
Today’s announcement by WEI Mortgage is yet another acknowledgement that electronic innovation in society generally and in the mortgage banking industry specifically, while offering tremendous benefits also offers serious perils. With federal and state regulators very firm positions on lender obligations to protect consumers from harm due to data security breaches, and lawyers lining up to file lawsuits for damages, every lender is on notice that they very well could be the next victim. Cyber liability insurance coverage carriers are surely experiencing a booming sales period.