Cyberattacks using gen AI are on the rise, experts warn, and title companies, lenders and real estate firms are all in the crosshairs. On Tuesday, the FBI released a public service announcement warning that bad actors are now enlisting gen AI to commit more sophisticated forms of financial fraud.
This is deja vu all over again for many in housing as last year in November Mr. Cooper Group suffered a debilitating data breach, followed by a hack of loanDepot in January that disrupted business for several weeks.
CoreLogic‘s 2024 Annual Mortgage Fraud Report reported an 8.3% annual increase in mortgage fraud risk at the end of Q2 2024. And credit bureau Experian, which released its 12th annual Data Breach Industry Forecast, warned of cyberattacks in 2025 that would target power systems in order to disrupt cloud infrastructure. This will remind many in the industry of the ransomware attack on cloud provider Cloudstar in 2021 that left hundreds of title companies and lenders unable to conduct transactions or close loans for months.
Now, bad actors are getting more creative, thanks to gen AI. Proof’s Chief Information Security Officer (CISO) John Heasman predicts an “arms race” as we head into 2025.
“I think what we’ll see in 2025 is threat actors revisiting a whole bunch of attacks and figuring out how to use gen AI for phishing. If you think of phishing historically, the advice companies would give their employees or consumers is to look out for anything that seems off in the email, such as typos. Well, gen AI solves all of that. It makes the email look authentic,” Heason explained.
He continued, “We’re entering a period where it’s going to be an arms race that will continue. These attacks will get cheaper and more sort of commoditized to carry out, and then companies will have to respond accordingly.”
Heason is concerned that the data available to bad actors will only continue to grow, exacerbated by social media exposure and a growing reliance on the cloud for information storage. And, it’s getting cheaper and more accessible for actors to carry out a breach.
“A few years ago, we did not have the capability to generate authentic-looking video in real-time,” he said. “Now we can do that on a lower budget for both video and audio.”
Kevin Nincehelser, who is CEO of cybersecurity firm Premier One, says that AI use in cyberattacks has ramped up over the last year, allowing attackers to be more sophisticated and speedy in executing a breach.
“Amazon has seen an increase in attacks from 100 million per day to 750 million per day,” Nincehelser said. “This is primarily driven by the adoption of AI technologies, which attackers are using to ramp up volume. And it’s as with any other business model, the more calls you make, the more sales you get. So from an attacker’s perspective, the more volume they’re pushing, the more success they’re going to have.”
Besides AI, Nincehelser says he’s also observed a growing trend of worker migration, which could mean issues for companies’ data governance. “We’re not in in the days where people stay in their jobs for a long time anymore…companies have to be investing more in data protection and how to protect that data, client lists, and contacts from going out the door with employees when they leave,” he said.
Stephen Millstein, owner and counsel for Certified Title Corporation, experienced and felt the damaging effects of a breach during the 2021 Cloudstar ransomware attack.
“I had no access to any data,” Millstein said, recalling the event. “So imagine, not only did I have no access to anything, but if we had money, I didn’t know whose money it was. I couldn’t access information to put closings forward. If someone was buying a house tomorrow, I couldn’t find their title binder…I couldn’t access my entire company’s 20-something-year data because it was all frozen by the ransomware of people at Cloudstar.”
Millstein said suffering an attack has made him take a better-safe-than-sorry approach to running his business. “We’re in an industry that I would say is largely under attack, and every day you have to operate your business assuming the worst. And it’s challenging to do that because to combat these attacks by fraudsters, you have to put speed bumps in place that slow the process down and require additional steps,” he explained.
“I need to validate wiring instructions, I need to verbally confirm things, I need customers to log into this portal and provide security information so that we can verify it for them. And what’s fascinating is because a lot of people don’t operate in this environment, they perceive you as being an obstructionist and impeding the flow.”
Authorization and authentication are key in securing sensitive information, says Justin Reinmuth, founder and CEO of technology risk underwriting group, techrug. “I think there’s gonna have to be a security to check the security,” Reinmuth mused. “We haven’t seen, you know, a lot of AI claims, but I think that it’s going to be a problem…you can’t necessarily trust the information that you’re getting.”
Millstein says he now works with Premier One for additional protection, and he hasn’t been discouraged from using AI so far. “We have implemented both AI and just very basic security measures…It’s still not a guarantee, but you know it, it significantly reduces the potential for that fraud to take place,” he said.
“But it’s scary, you know, we still have to operate our business… we have to be hyper-vigilant because when you are running a business that deals with moving around millions and millions of dollars all the time, there’s always going to attract somebody who wants to try and steal that money from you.”