This week, the online technology publication TechCrunch reported that millions of pages of mortgage loan documents were leaked online. More than a decade’s worth of data may have been affected, giving identity thieves access to financially sensitive documentation about every aspect of a consumer’s income, credit and assets.
The incident makes clear one potential downside of the industry’s inexorable move online. Mortgage companies have been scrambling to keep up with consumer demand for a fully digital mortgage experience. The convenience of allowing lenders access to bank records, employment and income history, and credit information electronically may save time and stress in the mortgage approval process.
However, one of the downsides to all of this digital simplicity is the risk a cybersecurity breach could give a hacker access to all of your financial data in one place.
Knowing what to do and what not to do are essential in preventing identity thieves from using any of your personal information to obtain new credit. You also need to know how to spot scammers that will try to take advantage of consumer fear and confusion to promote bogus services.
The first thing to do if your data was compromised
Beware of incoming phone calls
Do not provide any sensitive information over the phone to anyone who calls regarding your credit card or loan accounts, or anything having to do with your bank. Insist on getting a call back number and call them back — if they aren’t for real, they will probably hang up as soon as you ask for their contact information.
The FTC suggests you “don’t believe your caller ID.” Sophisticated scammers can create a “spoof” phone number that shows up on your caller ID in the name of your bank or credit card company, but is really a con artist trying to take advantage of you.
Do not open emails or answer texts from anyone claiming to be related to the recent data breach. If you receive such electronic communication, contact the creditor or bank immediately and ask for their security department to confirm if the correspondence is legitimate.
The IRS will not call you to confirm your personal information. The IRS recommends that companies experiencing a data breach send you a letter explaining what happened, what you can do to safeguard your credit and identity and how to follow up with them.
Any conversations that you have with creditors or banks should be initiated by you, using contact information you have on credit card and bank statements that you already have on file.
How to protect your accounts
Change your passwords on any account that has online access
There is information suggesting the most recent mortgage data breach may have included public access to passwords and user IDs for a variety of different financial accounts. Change your user ID and passwords to your online bank accounts and any credit accounts that you access online.
Track your bank and credit card balances, and notify your bank or credit card company immediately if you see any unusual charges or withdrawals.
Subscribe to a credit monitoring service
Your bank or an online credit monitoring service will provide up-to-date information about any new inquiries made. If you see unusual activity, then you may want to follow one of the steps below to activate a credit freeze with all of the credit bureaus so no new credit can be opened without direct contact with you.
What to do if you see signs of identity theft
If you have evidence that new credit accounts are being opened, or if someone has accessed your bank account, there are several steps you need to take to notify authorities and fraud departments at your bank and creditors.
Call your bank first, brokerage accounts second
You need to make sure that your assets are not liquidated, so contact your bank immediately. Most banks have fraud protection measures in place to replace any stolen money quickly. The sooner you contact the bank, preferably in person, the quicker a report can be filed, your old account can be closed and a new one is opened.
Brokerage accounts don’t have the same identity-theft protections that bank accounts do. If you have mutual funds, IRAs or 401ks, you should contact the brokerage. If you do see any suspicious activity, you’ll also want to contact the Securities and Exchange Commission.
Contact your creditors next
Credit card companies have fraud and identity-theft departments. This information is often on the back of your credit cards so contact them immediately to let them know your information has been used without your authorization. They may need you to fill out police reports, and provide additional follow-up as the fraud department investigates your claim.
Make sure you contact the IRS
It may not be top of mind, but come tax time, you may get an unpleasant surprise if you learn someone filed a tax return on your behalf. This happened during the 2017 Equifax breach — because returns are filed electronically now, it’s much easier for an identity thief to try to get a tax refund using your identification information.
Consider putting a fraud alert on your credit
The Federal Trade Commission recommends putting a credit freeze on your credit if you suspect or are in the process of an investigation into identity theft of your personal information. You will need to validate any new credit requests that you make and some lenders, especially mortgage companies, will need you to release the freeze if you try to apply for a home loan in the future.
If you haven’t actually experienced any fraud but have been notified by a company that you did business with that they experienced a breach of data, then you might want to start with a fraud alert. Unlike a credit freeze, a fraud alert allows your credit information to be accessed, but it lets any creditors know that you suspect or are concerned that your information may have been compromised.
Put everything in writing
You’ll want to have a date-stamped written record of all communications, in case you up needing to take legal action to recover your losses. Police and federal investigators may need this correspondence to pursue investigations against identity-theft criminals.
The FTC also has an identity-theft affidavit that can be completed and provided to law enforcement.
Watch out for signs of breach scams
Impostor scammers will try to play on fear and confusion by creating schemes to defraud you out of money for extra security services or even lawsuits representing your interests and promising large payouts if you’ll just join their list. They may call, email, send letters or even knock on your door claiming to be law enforcement or an agent of a federal agency.
If anyone tries to charge you an upfront fee of any kind to protect you from further breaches, or to include you in any kind of legal action, hang up the phone and contact the authorities. Given the size of this mortgage breach, you’ll want to sign up for the Federal Trade Commission’s scam alert service to find out if there is a pattern of new scams related to this leak.
Bogus mortgage servicing transfer letters or phone calls
Because data was accessed from companies that service mortgage loans, hackers may send you notices of a transfer of servicing and tell you to make your payments to a new mortgage company or location. Use your recent mortgage statement to contact your current mortgage company if you get any notices.
Also, be sure to file a complaint and provide a copy of the email or mail correspondence to the authorities if they request it.
Be prepared to monitor your credit and assets frequently
The FTC provides excellent resources regarding what to do if you are a victim of identity theft.
Identity thieves may wait a while to use your data. The info you provided to get your mortgage provides a great deal of detail about your financial profile, which means a scammer can impersonate you for many types of online credit and financial transactions.
By giving notice to your creditors, banks and the IRS, they will at least be on notice to watch for activity. Their correspondence should be in writing and provide you with verifiable contact numbers for any information requests.