Tech Tip: Trust but verify 
Matthew Cosgrove, GreenStone VP of Information Security
Tech Icons

The previous few months have been busy for cybersecurity professionals. We have seen two large scale alleged national-state cyber-attacks that have impacted tens of thousands of organizations throughout the globe across every industry. 2020 ended with a supply-chain attack against SolarWinds, that impacted over 18,000 organizations that used their network monitoring software. This attacked allowed the cyber-criminals the ability to spy on state and federal computer networks. 


Then in March, Microsoft was impacted by 4 zero-day vulnerabilities that have left over 30,000 on-premises Exchange servers compromised. An Exchange server is used by organizations for email communication, among other things. A single Exchange server can host hundreds of individual email accounts. This means that the number of individual email accounts compromised will be unknown for months if not years to come. 



Fortunately, GreenStone was not impacted by either of these recent cyber-attacks. We followed the prescribed guidance from CyberSecurity & Infrastructure Security Agency (CISA), Department of Homeland Security (DHS) and the vendors.  



The sheer number of newly compromised email accounts mean consumers everywhere could begin to see a tsunami of phishing emails from legitimate email accounts. These phishing emails could contain very specific or sensitive information that normally only the sender would know. This might include loan information or other sensitive conversation information. According to a report released by NTT Communications “59% of phishing attacks in the Americas relate to finance” (NTTSecurity, 2018). The reason the cybercriminals keep doing this is because of the endless potential for financial gain.   



Why is this important?   

This influx of newly exposed data and personal information provides scammers the perfect foundation to build communication that is tailored towards you. On top of that, they already have access to a treasure trove of public records, including information like your principal mortgage amount and the institution that hold the mortgage note. These details are public information, and is not only used by cybercriminals but also by companies trying to solicit you with all types of goods and services.   



There is a handful of ways that companies can obtain that information. One potential way is they purchase that information from the financial service provider – GreenStone does NOT sell any of your personal or financial information. Another way is they obtain that information from creditors after you met a certain credit criterion, this is often referred to as a “prescreened” offer. 



How do you protect yourself from falling victim to these attacks? 

With any email message – trust but verify, never open email attachments or click on URLs from senders you do not know or from emails you were not expecting. It only takes one wrong click, and you could end up with a computer that has now caught a virus or ended up providing your username and password into a “look alike” login page for your email account – all without even knowing it. 



With any mortgage mailer that comes in “snail mail,” knowing how they got the information goes a long way. Most of these mailers catch us by surprise because we are unaware that the information that is on the letter is public information.  



When I received my first mortgage mailer, I was shocked that this company - which I did not have a business relationship with – knew what I thought was sensitive information like my mortgage principle. In reality, I now know this information is regulated to be reported and becomes public information. 



The Federal Trade Commission highlights on their web page two steps individuals can take to help reduce the number or unsolicited mailers -


  1. Call 1-888-5-OPTOUT (1-888-567-8688) or visit to opt out of prescreen offers. 
  2. Put your phone number on the federal government’s National Do Not Call Registry to reduce the telemarketing calls you get at home. To register your phone number or to get information about the registry, visit, or call 888-382-1222 from the phone number you want to register.  


There is no magic bullet that will completely or entirely eliminate all risk nor solve all the issues. To help, look for the clues that the mail is junk mail. An example is irregular text – like all “CAPITALS” within sections of the mailer your name, mortgage amount or lender; or the mailer not visually reflecting the same logo or design as most mailers you might get from your lender – these can be giveaways that your information came off a purchased list. Regardless how “real” it looks, you can always call your local lender to verify its authenticity! 


Enjoy the beautiful spring weather and save a tree or two by opting out of these junk mailers.



NTTSecurity. (2018). 2018 Global Threat Inteligence Report. Retrieved from Phishing Box: 


To view the article in the online 2021 Spring Partners Magazine, click here.


Get the Latest Partners Articles!

Subscribe via RSS to receive notifications.

Subscribe with RSS