Shadow IT Preys on
This cloak-and-dagger cyberthreat can wreak havoc if safeguards are not in place
By Al Alper
To stay technologically protected, mortgage originators need to understand what cybersecurity threats look like within their industry. Specifically, they need to know
what types of attacks are prevalent in the industry and
what they are focused toward or leveled at.
Recently, the mortgage industry has been facing a
threat coming from the shadows. It’s known as Shadow
IT — a threat faced by other industries that also deal
frequently with monetary transactions and personal
data. Shadow IT is a term used to describe situations
in which hackers use bots and other technologies to
breach computer systems.
In financial transaction-based industries with many
participants involved in each transaction — like the
mortgage industry — this Shadow IT typically targets
the e-mail systems of those who are directly involved
in the transactions of the targeted industry. These
Shadow IT hackers set up both automated and manual
systems to watch e-mail traffic. They patiently keep
an eye on e-mail exchanges until a point in time when
money is going to be moved, and then they move in
— assuming the role of one of the individuals involved in
the transaction — and redirect the money to themselves.
Because they’ve been watching the traffic, they
know who the players with authority are. They know
where the players are. And they have the ability to
stop e-mails from forwarding to the intended recipient’s inbox.
Think about a hacker breaking into a commercial loan
originator’s e-mail, for example. The loan originator
has been working on the sale of a $30 million building. The hacker, meanwhile, has gone unnoticed while
having access to and reading every e-mail pertaining
to this sale, silently watching and waiting for things
The process then reaches the point where the buyer
is ready to move money into an escrow account.
Once this occurs, the hacker assumes the role of the
originator: E-mails were previously landing in both the
originator’s inbox and the hacker’s inbox, but now the
hacker prevents e-mail from landing in the originator’s
inbox and takes over communication.
The hacker sends an e-mail disguised as the originator
to the buyer’s attorney with instructions on which
account to wire the money to — namely, their own
untraceable account as opposed to the originally intended account. Because many mortgage companies
either don’t have the appropriate policies in place, or
don’t stress to employees to follow the appropriate
protocols, most of the time this money is long gone
before it’s even noticed to be missing — well beyond
the 24-hour time frame the FBI says it needs to claw
money back from scammers.
Another example of hackers using a Shadow IT scam
to cause harm to the mortgage industry involves obtaining money through a different means — in this case,
extortion. By once again breaking into a user’s e-mail,
hackers can access a list of all open transactions and
threaten to contact each entity on that list to inform
them their personal information has been breached. The
hackers then tell the business they will do precisely that,
unless they are paid a sizable ransom.
At a minimum, a mortgage company may have to
revise information for tens of thousands of transactions. Doing nothing risks the company’s reputation,
and should a hacker act on their threat, the volume of
transactions that could die on the vine because no one
trusts the company anymore is staggering.
Falling victim to a hacker’s Shadow IT realm, however,
is not inevitable. In fact, there are some rather simple
steps mortgage companies can implement to protect
against this underworld threat. Straightforward internal
protocols that are continually tested, audited and
confirmed go a long way toward keeping networks safe.
In the aforementioned example involving e-mail
interceptions, one prevention strategy is to ensure
the company has a system in place whereby everyone
involved in the mortgage process has a list for each
transaction that outlines the authorized players, the
authorized banks and the authorized e-mail addresses.
They also should be instructed to pick up the phone
and seek confirmation should anything deviate from
that set list — thereby preventing money from being
authorized for transfer to a scammer’s account.
Established procedures that demonstrate a strong
cybersecurity posture, coupled with policies that
demand employees live up to these requirements, are an
effective and inexpensive way of promoting a security-centric environment. Such procedures also bolster a
company’s overall cybersecurity.
Supporting cybersecurity policies and procedures
with the right technology and the right training will
further lessen the chances of falling victim to a Shadow
IT hack. Many mortgage companies have already invested in the technology, as most businesses really can’t
operate without technological necessities like spam
filtering, firewall protection and endpoint detection.
Good anti-malware and anti-spam technologies, as well
as a good firewall, are relatively inexpensive solutions that
are not too difficult to implement — although implementing a firewall does usually require the help of a
skilled IT person. Technologies that help to monitor and
mitigate threats that stem from social media (especially
for companies that use social media to better identify
and connect with their clients) also are vital in today’s
world and are, therefore, critical investments.
Additionally, requiring more complex passwords
that are changed frequently also can be an effective
strategy that, in conjunction with other efforts — such
as multifactor authentication, 10-minute screen savers,
individual logins, backup and disaster-recovery plans,
acceptable use and other similar efforts — add up to
support a much more secure operating environment.
Mortgage companies also should commit to ongoing employee education and training designed to
help employees become aware of their technological
habits and, just as importantly, to help them recognize
how those habits can be used against them. The goal
of such training is to get employees to change the way
they think about what they do each and every day so
that cybersecurity is at the front of their minds.
Cybercrime has always taken place from the shadows.
Now, with Shadow IT systems built by hackers, the
threat is even more imminent to the mortgage industry
and the potential repercussions are even more damaging.
Through consistently enforced protocols and policies,
however, as well as effective cybersecurity technology
and training, the mortgage industry can help shine
a light on these potential threats, exposing them and
weakening their impact. ■
Al Alper is CEO and founder of Absolute Logic ( absolutelogic.com)
and CyberGuard360 ( cyberguard360.com). Since 1991, Absolute Logic has been providing Fortune 500-style technical
support, security services and technology consulting to
businesses of up to 250 employees within Connecticut and
New York. Absolute Logic was named a National Cyber Security
Awareness Month 2017 Champion. Alper also is a national
speaker on information technology and security issues. Reach
him at email@example.com or (855) 255-1550.
“Shadow IT is a
term used to describe
situations in which
hackers use bots and
to breach computer