Ask any mortgage or title leader to share their list of company priorities over the past several years; chances are, cybersecurity and wire fraud prevention will consistently top the list.
Despite the industry’s unwavering commitment to fortify against cyber attacks and wire fraud, incidents have continued to rise year after year. Qualia’s 2024 survey found that 98% of title companies reported the volume of cybercrime attempts increased or remained the same over the past year. Meanwhile, the FBI’s latest Internet Crime Report shows a record number of reported complaints and a 22% increase in overall losses suffered between 2022 and 2023.
With cyber threats rising, expecting a zero incident rate — even with the strongest security protocols in place— is not a practical mindset. “I never thought it would happen to me is a phrase we need to remove from our lexicon,” remarked Reese Lacasse, Sr. Vice President & CIO of CATIC. Lacasse’s sentiments were echoed by Victor Kabdebon, Co-founder & CTO of Truework, during the panel “New Cyber Threats in 2024” at Qualia’s 2024 Future of Real Estate Summit (FORES24).
The speakers agreed that amid the increasing sophistication and prevalence of cyber attacks, businesses must adapt their mindsets. By shifting from “cyber attacks are unlikely” to “cyber attacks are an inevitability,” businesses will be better prepared to contend with rapidly evolving threats and take decisive action if an attack occurs.
The evolving cybercrime and fraud landscape: threat vectors in 2024
In the past year, cyber attacks impacting high-profile title and mortgage firms have grabbed headlines. However, it’s not only the major players under fire; small businesses are also in the crosshairs of cybercriminals.
Kabdebon and Lacasse explained that this general, nondiscriminatory influx in cyber attacks is due to three emerging threat vectors:
- The rise of artificial intelligence (AI). The increasing accessibility and sophistication of AI technology enables criminals to carry out attacks at scale. With the help of AI tools, a criminal can scrape the internet in seconds to uncover everything about an individual and execute a highly targeted phishing attack.
AI is also enabling consumers to commit “gray area” fraud. In these cases, people who have recently lost a job or run into some other financial hardship use AI to alter a document during the mortgage underwriting and preapproval process to ensure a mortgage approval goes through. This results in serious implications for mortgage companies, who must then pay $20-30k in expenses from a single default loan. - Increases in government or state-sponsored attacks. Real estate transactions have become more appealing to bad actors who realize they can disrupt entire local and global economies by freezing thousands of transactions through a single ransomware attack. Lacasse noted these attacks often occur in waves every three to four months and are influenced by mounting geopolitical factors such as elections, wars, and other international conflicts.
- More sophisticated and large-scale attacks from professional criminals. There are now underground organizations dedicated to “ransomware as a service” that help bad actors carry out attacks — complete with customer support teams and seamless payment infrastructures. Meanwhile, thanks to AI advancements, professional criminals can also carry out more sophisticated phishing attempts on C-level executives for larger payouts.
Continual improvements to fortify your business
Given the threat landscape’s ever-evolving nature, businesses cannot rely on one-time technology investments or set-and-forget processes to safeguard themselves from attacks. Lacasse and Kabdebon offered practical tips for businesses to stay on top of cyber and fraud risks.
Make incremental investments
Rather than making one-time, big investments in security, Kabdebon recommended that businesses invest an incremental amount every quarter in initiatives, partners, and platforms that help protect their businesses from growing cyber threats. “See security as an investment rather than a pure cost center,” Kabdebon said. “Spend a small amount of money every quarter towards initiatives that are tailored to your business… [rather than] paying a hundred million dollars every few years [as a response] to a ransomware attack.” He noted that platforms like Qualia are great connectors for discovering security vendors that are designed for real estate transactions.
He also recommended investing in “red teams” who help identify security vulnerabilities on an ongoing basis. These teams actively carry out “attacks” inside your company to spot holes in your processes and systems so you can fix them before true criminals discover them.
Continually reassess processes
As the threat landscape continues to evolve, leaders must consistently reassess their processes to lift teams out of autopilot and into a state of heightened awareness. For example, with the rise of deepfake technology, Lacasse explained that title professionals can still maintain the upper hand by staying alert and taking action when something feels suspicious, especially during high-risk moments such as when verifying wire instructions. This might involve asking someone on video chat to unblur their background or call you on your cell phone to prove they are real. If the person can’t perform one of these simple, human actions, they are likely using deep fake technology to impersonate someone.
Examine failures systematically
Single incidents are usually symptomatic of broader systematic flaws. When an attack occurs, instead of pointing the finger at the individual who made the mistake, use the incident as an opportunity to identify root causes and fix holes in your system and processes.
For example, suppose someone on your team wires funds to a fraudulent account. Rather than viewing it as an isolated incident, investigate the case to understand what went wrong and where additional double-checks could be added to your wiring process to prevent similar incidents in the future. You can also use the case as an opportunity to educate the rest of your staff about what fraud might look like and encourage them to ask questions.
Expect and plan for an attack
Even with a proactive and intentional approach to cybersecurity, businesses must contend with the fact that an attack will likely happen. Many companies don’t know what to do when an attack occurs, but acting fast is critical to recovering funds. Lacasse urged businesses to make sure their teams know who to call and what will happen when and after a report is made.
Together as one: industry-wide transparency in 2024
For the past several years, discussing cyber attacks and instances of wire fraud has been taboo. No company wanted to be branded as lacking in its security posture and risk losing business; thus, most incidents went under the radar and were kept quiet. Lacasse and Kabdebon believe this mindset is already diminishing but needs to be completely eliminated for the industry to protect consumers effectively.
“Criminals hide in obscurity,” Kabdebon said. By shining a light on instances of wire fraud and ransomware attacks, businesses can generate internal learnings about where processes are lacking while also giving the broader industry insight to help avoid similar attack types. “Don’t be shy about [cyber attacks] when they happen,” Lacasse said. “We need to come together to create better ideas and share information about what’s happening.”
To hear more from Kabdebon and Lacasse, watch the FORES panel discussion in its entirety.