Mortgage companies face strict regulatory requirements for handling financial documents and customer data. This leading mortgage company monitors 400 employees to ensure compliance with federal regulations while building legally defensible evidence for any violations.

The stealth approach prevents employees from altering behavior during investigations and maintains the integrity of evidence needed for regulatory reporting. After three years of deployment, they’ve successfully caught document fraud, protected client lists from departing salespeople, and—equally important—cleared innocent employees of false accusations.

Their IT security lead rates Teramind 10 out of 10, citing not just the technology but the exceptional support that has made their stealth investigations possible and effective.

The Challenge: Protecting Client Data in a High-Stakes Sales Environment

Mortgage companies face unique security challenges. Sales teams build valuable client relationships over years, and when employees leave—often poached by competitors—the temptation to take client lists can be overwhelming.

“We are a sales environment. So obviously there are people that would leave us to go to another company for sales because they’re being poached,” the security lead explains. “We need to make sure they’re not trying to take their client data list with them.”

Beyond data theft, the company faced an even more serious threat: document fraud. In the mortgage industry, altered documents can have devastating legal and financial consequences.

The Selection Process: Cloud-Based and Lightweight

When evaluating solutions, the company had specific technical requirements:

• Cloud storage without local server dependencies 
• Minimal CPU usage to avoid slowing machines 
• Modern, actively maintained platform 
• Comprehensive screen recording capabilities
  
  

“We looked at two or three in total, including Teramind, and we just liked what Teramind had to offer and felt like it was being more modern or kept up to date than at least one of the competitors was,” the security lead recalls.

AWS Infrastructure: The Foundation That Makes It All Possible

Running Teramind on AWS infrastructure has been crucial to the mortgage company’s success, providing enterprise-grade capabilities without enterprise overhead.

“The AWS infrastructure just works seamlessly in the background,” the security lead notes. “We’ve never had monitoring downtime, and when we scaled from 200 to 400 employees, it was completely transparent—no server upgrades, no capacity planning, nothing.”

Key AWS Benefits Realized:

• 99.9% Uptime: Continuous monitoring ensures no gaps in evidence collection during critical investigations
• Unlimited Storage: AWS S3’s virtually unlimited capacity allows indefinite retention of screen recordings for legal compliance
• Cost Optimization: Pay-as-you-use model with automatic storage tiering reduces costs as investigation data ages
• Built-in Security: AWS’s SOC 2 compliance and encryption capabilities support the mortgage industry’s strict regulatory requirements
  
  

“What really sold us on the AWS deployment was knowing we’d never have to worry about running out of storage space for evidence, and the cost actually decreases over time as our older investigation data automatically moves to cheaper storage tiers,” explains the security lead.

Full Stealth Mode: The Key to Effective Investigations

The company made a strategic decision to run Teramind completely in stealth mode—employees have no idea they’re being monitored. This approach serves multiple purposes:

1. Preserves investigation integrity: Suspects can’t alter behavior if they don’t know they’re under scrutiny
2. Maintains legal confidentiality: The monitoring capability itself remains protected information
3. Enables authentic evidence gathering: Natural behavior provides the most accurate picture
   
   

“We run in full stealth so we don’t want to tip anybody off that we have something that’s recording their actions, especially when we have to use that legally,” the security lead explains.

The most significant victories have come in detecting document fraud—a serious crime in the mortgage industry.

Case Study: The Altered Document

The company suspected an employee had modified borrower documents to meet loan requirements. Using Teramind’s keylogger search function, the security team could pinpoint exact moments when numbers were changed.

“We’ve had success where we suspected somebody on the team modified a document, whether it was altering numbers on it to basically meet the requirements,” the security lead shares. “They wanted to add an additional $300, for instance.”

The investigation revealed multiple versions of the same document with different values—clear evidence of fraud. Teramind showed:

• Where the employee pulled the original file
• When they made changes
• Where they saved multiple versions
• How they submitted the altered document

This evidence went directly to legal and HR for additional proceedings.

AWS Integration: Enhancing SecOps and Threat Detection

Beyond just hosting Teramind, AWS enables powerful integrations with the company’s existing security operations stack, creating a comprehensive insider threat detection ecosystem.

The security team leverages AWS’s robust integration capabilities to feed Teramind data into their broader security infrastructure:

• SIEM Integration: Teramind alerts and behavioral data flow directly into their Security Information and Event Management system via AWS EventBridge, correlating user activity with network logs and system events
• SOAR Workflows: AWS Lambda functions trigger automated Security Orchestration, Automation and Response playbooks when suspicious activities are detected, streamlining incident response
• Threat Intelligence Feeds: AWS APIs allow real-time correlation of Teramind findings with external threat intelligence sources to identify sophisticated insider threat patterns
• Automated Alerting: AWS CloudWatch monitors for specific behavioral patterns and automatically escalates high-risk activities to the security team
  
  

“Having Teramind data integrated into our SIEM gives us a complete picture,” the security lead explains. “We can see if someone’s accessing sensitive documents at unusual hours, correlate that with VPN logs, and automatically trigger our incident response procedures—all without manual intervention.”

This integrated SecOps approach recently helped identify a potential data exfiltration attempt where an employee accessed client files outside business hours. The SIEM correlation with network traffic logs confirmed the suspicious activity within minutes, enabling immediate containment.

Proving Innocence: The Other Side of Investigation

Just as important as catching bad actors is clearing innocent employees. Teramind has proven equally valuable in disproving allegations.

“It’s also helped prove innocence—suspicious activity being reported that it’s also proved to be everything is legit,” the security lead notes. “It’s been used to validate that the person didn’t do anything wrong either.”

This dual capability protects both the company and its employees, building trust in the investigation process.

The Investigation Workflow

The security team has developed an efficient investigation process:

1. Alert triggers: Compliance or legal reports potential issues
2. Keyword searches: Using keylogger data to find specific terms or numbers
3. Timestamp verification: Matching file upload times with screen recordings
4. Cross-platform validation: Using Teramind findings to guide searches in OneDrive, SharePoint, and Microsoft 365 logs
5. Evidence compilation: Building cases using multiple data sources without revealing Teramind’s involvement

“It makes it a lot easier to know what to look for to be able to get that information to then provide the actual evidence or details without having to say, ‘Hey look, we used Teramind showing their screen being recorded,'” the security lead explains.

While maintaining stealth mode, the company still uses Teramind’s alert capabilities for early warning:

• Job website searches (though they filter for legitimate employment verification activities)
• Resume uploads
• Specific keyword patterns in emails
• File transfer activities

These alerts help prioritize investigations without tipping off employees.

Support That Makes the Difference

The security lead reserves highest praise for Teramind’s support team, rating them “fantastic” across the board.

“Anytime I’ve ever had to reach out to support, they have been fantastic. Most I’d say eight or nine out of 10 times they’ve been able to answer the question really quickly,” they report.

Even complex issues receive rapid resolution: “There’s been one or two instances where they’re like ‘Let me look into this,’ and then as early as the next day they’re like ‘Hey, we went ahead and made this change to the account.'”

This responsive support proves critical when dealing with application conflicts, exclusion rules, or behavior notification configurations.

With 400 monitored employees, system performance remains a key concern. Teramind delivers on its promise of lightweight operation.

“The impact on the system resources of the machine has been very good,” the security lead confirms. This efficiency allows comprehensive monitoring without employee complaints about computer performance—crucial for maintaining stealth operations.

The Verdict: Perfect Scores Across the Board

When asked to rate Teramind, the response is unequivocal: “I would rate it five out of five or 10 out of 10. There’s nothing that’s really not worked.”

The security lead struggles to identify missing features: “I can’t really say there’s been something like, ‘Oh, if it had this then we would…'”

Would they recommend Teramind? “I would definitely recommend it.” The only barrier to more recommendations is the confidential nature of their deployment—they can’t exactly discuss their security tools with peers.

Key Takeaways for Security-Focused Deployments

This mortgage company’s experience offers valuable lessons for organizations prioritizing security over productivity monitoring:

1. Stealth mode preserves investigation integrity while building legally admissible evidence
2. Focused deployment on security features avoids productivity monitoring complications
3. Cross-platform investigation techniques maximize evidence gathering without revealing methods
4. Proving innocence matters as much as catching wrongdoing
5. Exceptional support makes complex security deployments successful

For companies in regulated industries dealing with sensitive financial data, this case study demonstrates how Teramind can serve as an invisible guardian—catching fraud, preventing data theft, and protecting both the organization and its honest employees.

“There hasn’t been one thing Teramind hasn’t been able to help out with.” – Security Lead, Mortgage Company

About Teramind

Founded in 2014, Teramind has become the global leader in behavioral solutions. Over 10,000 organizations in 125+ countries, across every industry, have turned to Teramind to protect and optimize their business with the Total Workforce Analytics for Insider Risk and Productivity. It helps monitor, analyze, and manage employee activity to prevent insider threats, safeguard sensitive information, and optimize team performance.

Teramind is an AWS Software partner with the ISV Accelerate program membership, our solution is Qualified through the Foundational Technical Review validation and can be purchased and deployed through the AWS Marketplace.

Teramind on AWS deploys to the customer’s AWS account and VPC, and utilizes Amazon EC2 virtual machines for compute of our management servers, Amazon S3 for screen recording storage, and Amazon RDS for the backend database functionality.