Mark Carver looks at how cyber criminals target conveyancing transactions and suggests practical steps that law firms can take to mitigate the risks.
The very nature of a conveyancing transaction puts solicitor firms at risk of being the target of organised crime.
In addition to the professional legal services provided by solicitors in any conveyancing transaction, a key role of the conveyancer is to ensure the money for the property transaction is passed from the buyer’s to the seller’s bank account on the date of completion, via the office client account.
While this process has been in operation for many years, organised criminals are now more frequently targeting email communications between conveyancers and their clients. This sophisticated and illicit industry which has led to millions of pounds of income for criminal organisations has grown to a rate of at least two successful conveyancing frauds per month in England and Wales, according to the latest figures. The extent of the problem is acknowledged by the Solicitors Regulation Authority (SRA), who has advised that five law firms a week report attempts to hack into their email systems.*
How does the scam work?
The scam preys upon the use of email as the desired form of communication between solicitor, client and estate agent; the use of unsecured networks, such as cafes, the banking process and, finally, a lack of awareness on the part of the conveyancer.
Fraudsters use malware to enable them to gain access to computer systems (including estate agents, solicitors, vendors and sellers). This then enables them to monitor email communications between conveyancer and client. At the point of completion, the fraudsters intercept an email from the seller or even fraudulently send an email purporting to be the seller, simply informing the parties that the bank account details have changed and requesting the completion monies be paid into an alternative account.
If the conveyancer does not then verify that these details are correct, inevitably the money will then be transferred into the new ‘false’ bank account and by the time the fraud is discovered, often just a couple of hours later, the fraudsters have already electronically transferred the money to unreachable bank accounts across the world.
Responsibility of the solicitor
For the solicitor, unfortunately there is no escaping liability (even though many would argue that the bank should have checked the details). However, the same can be said with regard to the conveyancer and, in effect, the bank is acting on the solicitor’s instructions. Furthermore, Principle 10 of the SRA Principles 2011, requires firms to protect client money and assets.
Insurance and risk management
In such cases, the solicitor’s professional indemnity policy will respond to such claims, on the basis that the solicitor has been negligent and incorrectly transferred monies to a false account. Given that conveyancing already contributes to just under 70% of claims payments** before taking the impact of such scams into account, the consequence for insurers is that inevitably that figure will increase in 2016, making conveyancing even higher risk.
From a risk management perspective, awareness is key. At the very least, we would encourage all readers to share this article with conveyancers and ensure that any change of bank account details raises a ‘red flag’.
To prevent your firm from being a victim of such fraud, the solution seems simple and firms should consider implementing all, or some of the following:
- A control whereby you will not accept any change of instruction in respect of bank account details electronically
- If bank account details change, then the original bank statements for the new account should be checked and retained on file
- Seek the client’s written approval to verify with the bank that the new bank account details are correct
- If bank account details are changed, seek a second internal sign-off
- Finally, it is worth remembering that such scams may not be restricted to the internet. Equally, letters and faxes can be intercepted, so the message is that conveyancers really should ensure that any change is verified with the original documentation.