Could Your Mortgage Lender Be Hacked? How to Protect Yourself

In back-to-back months, Mr. Cooper and LoanDepot — two of the nation’s largest mortgage lenders — made headlines for experiencing cyberattacks that exposed the data of more than 30 million people combined.

Mortgage lenders haven’t been the only recent targets. Title insurance companies Fidelity National Financial and First American Financial each experienced cyberattacks in November and December 2023.

“If you see one attack against an industry or a group of organizations, it’s pretty common you’ll see others,” says James E. Lee, chief operating officer of the nonprofit Identity Theft Resource Center.

Whether you’re applying for a mortgage or already have one, your sensitive information is out there — and hackers could use it against you. Even if your mortgage isn’t with Mr. Cooper or LoanDepot, these breaches are a wake-up call. Here’s how to protect your data and spot common scams.

On Dec. 15, 2023, mortgage giant Mr. Cooper acknowledged that an October 2023 hack exposed the personal information of “substantially all of our current and former customers,” according to a filing with the Securities and Exchange Commission. Compromised data included more than 14 million customers’ names, addresses, phone numbers, Social Security numbers, dates of birth and bank account numbers.

“We take our role as a mortgage company very seriously, and there is nothing more important to us than maintaining our customers’ trust,” said Jay Bray, chairman and CEO of Mr. Cooper Group, in a press release. “I want you to know how sorry I am for any concern or frustration this may have caused.”

On Jan. 4, 2024, hackers broke into systems at LoanDepot and encrypted, or digitally locked up, company data, the lender confirmed in an SEC filing. LoanDepot hasn’t elaborated on the data involved in the attack. However, in a statement dated Jan. 22, the company disclosed that about 16.6 million individuals were affected.

“Unfortunately, we live in a world where these types of attacks are increasingly frequent and sophisticated, and our industry has not been spared,” LoanDepot CEO Frank Martell said in a press release. “We sincerely regret any impact to our customers.”

You can’t predict where hackers will strike, but you can make yourself a harder target by freezing your credit. Under a credit freeze, no one (including you) can open new accounts in your name. Freezing your credit is free and won’t harm your credit score. To do so, contact each of the major credit reporting companies: Experian, TransUnion and Equifax. You can also request a fraud alert, which requires a business to confirm your identity before opening a new account.

If you’re buying a house or refinancing, you’ll need to lift the credit freeze to complete the mortgage underwriting process. (A credit thaw is also free, and credit bureaus must respond to your phone or email request within an hour.) After you close, you can reinstate the freeze.

Freezing and unfreezing your credit might seem a bit inconvenient, but it’s a lot easier than clearing up the mess of identity theft.

If your information is exposed during a data breach, the company will typically mail you a letter. When you get that letter, act quickly: It might include a time-sensitive offer to enroll in free credit monitoring and/or identity theft protection services. You can check if you have a similar service available through your employer or homeowners insurance company.

To assess the effects of a cyberattack, companies may shut down online account access, bill pay or mobile apps. “Those are actually things that, although inconvenient, they’re helpful,” Lee says. “That’s what the organizations should do to ensure that your data remains safe.”

In LoanDepot’s case, mortgage origination and servicing system outages persisted for weeks. (A mortgage originator provides the initial loan to buy a house; a mortgage servicer handles payments after you close.) Customers took their frustrations to social media and online forums.

If your mortgage lender is hacked, check official channels for updates. Mr. Cooper and LoanDepot set up incident response webpages. There, they recommended making payments by phone, mail or money transfer services like Western Union or MoneyGram. LoanDepot noted that recurring automatic payments were working.

Expect the company to address missed payment implications, too. In a statement, Mr. Cooper said customers who couldn’t make payments as a result of the cyberattack would not incur penalties, late fees or negative credit reporting.

Why do hackers target mortgage lenders? Think of all the players involved: Your lender, maybe another bank or credit union — and also title insurance providers, real estate agents, homeowners insurance companies and escrow services.

“Each one of them becomes an opportunity for an identity criminal to infiltrate that organization, and then gain access to all of the information throughout the entire process,” Lee says.

Home buyers are inundated with time-sensitive emails and phone calls: Sign this. Send that. Transfer money here. Phishing scams prey on that sense of urgency, notes Lisa Plaggemier, executive director at the nonprofit National Cybersecurity Alliance.

What seems like a legit email about your mortgage might actually be from a highly skilled identity criminal. To protect yourself, always double-check the sender’s address. Often, criminals will use a lookalike that’s just one character off from the real thing.

The FBI received more than 11,000 complaints of real estate fraud in 2022. That includes wire fraud, such as attempts to steal a down payment. “Bad guys are going to go where the money is,” Plaggemier says.

To avoid becoming a victim, ask your lender or agent to verify the official details of the wire transfer. One red flag: If you get an urgent-sounding email changing the account number at the last minute, it’s probably a scam.

If your down payment goes to the wrong account, act fast. According to the Coalition to Stop Real Estate Wire Fraud, an industry education group, you have the highest chance of recovering your money within 24 hours of discovering the error. Call your bank and issue a recall notice. You can report fraud to the local police or FBI office and file a report at reportfraud.ftc.gov.

Unfortunately, there’s no seal of approval for a mortgage lender’s culture of data security.

And just because a company was hacked doesn’t mean it’s more at risk in the future, notes Plaggemier.

“It’s actually often the case that companies that have had a problem have reacted really well to it, and have a much better security program than they had before the problem happened,” she says.

Data breaches can happen to anyone, so Plaggemier recommends four key actions to protect yourself: create strong passwords; set up multi-factor authentication; keep operating systems and antivirus software up to date; and stay vigilant against phishing and other social engineering attempts.

Shame around identity theft leaves some people hesitant to ask for help. But the truth is, criminals are getting savvier — and even the smartest among us could fall for their tricks.