What Should You Check Before Using a Mortgage Servicer's Online Portal?
A letter arrives saying the mortgage has been transferred to a new company, along with a new website address for making payments — and that combination of “new” and “urgent” is exactly the setup a scammer would also use.
The short answer
Before logging into any mortgage servicer’s website, it helps to independently verify that the company is real and that the account has actually moved there, rather than clicking a link in an email or letter. Once verified, the portal itself should be protected the same way any financial account is: a unique password and, where available, an extra login step beyond a password alone. Skipping these checks is what makes servicing-transfer scams work.
Confirming the portal is legitimate
Servicing transfers are a routine and legal part of how mortgages are handled — the company that receives payments after a loan closes is not always the company that keeps servicing it, and who services a mortgage after closing can change more than once over the life of the loan. That routineness is also what scammers exploit, since a fake transfer notice looks almost identical to a real one. A safer approach is to independently look up the new servicer’s contact information rather than using anything printed on the notice itself, and call to confirm the transfer before creating an account or logging in anywhere.
Setting up the account itself
- Use a unique password. Reusing a password from another site means a breach anywhere else could expose the mortgage account too.
- Turn on multi-factor login if it’s offered. A second step, like a one-time code sent to a phone, keeps a stolen password from being enough on its own.
- Check the web address carefully. Small misspellings or extra words in a domain name are a common sign of an imitation site built to capture login details.
- Avoid logging in from public networks. Shared or unsecured networks make it easier for someone else to intercept what’s typed.
What the portal is actually for
Once access is confirmed, a servicer’s portal typically lets a homeowner view the current balance, see how payments are being split between principal, interest, and the escrow portion of the payment, and download statements. It’s worth treating that data the way any other financial record is treated — checking it periodically rather than only when something seems off, similar to how someone might reconcile a bank statement against their own records. Catching a data error or an unauthorized change early is much easier than untangling it months later.
Red flags worth pausing on
A message that creates urgency — threatening an immediate fee, a missed payment, or account suspension unless action is taken right away — deserves extra scrutiny regardless of how official it looks. Legitimate servicers generally don’t ask for a password or full account number over email or text. Any request like that is worth verifying through a phone number looked up independently, not one provided in the suspicious message itself.
The takeaway
A mortgage servicer’s portal holds sensitive financial information, and the habits that protect it are the same ones that protect any other financial account: verify before you trust, use strong and unique login credentials, and treat urgency as a reason to slow down rather than speed up.