Cybercrime and conveyancing

4th September 2015

Money laundering… mortgage fraud… now conveyancer hacking. Walker Morris’ Banking Litigation specialist explains the latest fraud risk of which lenders, borrowers, conveyancers and the general public should be aware.

Conveyancing solicitors: safe as houses?

Many of us are familiar with ‘phishing’. This is the means by which fraudsters acquire sensitive information, such as bank account details, by posing as a known or trustworthy entity in an electronic communication. We are alive to the risks to a certain extent, and we generally think twice before revealing sensitive or financial details online or in response to unexpected or unsolicited correspondence.

One of the latest pools in which fraudsters have decided to phish, however, is that of the e-mail accounts of real estate conveyancing solicitors. It seems that this has been a lucrative recent development for cybercriminals because a combination of ignorance of the risks; the general public’s rightful trust in solicitors’ firms and the conveyancing process; the tempting prospect of purchase monies; and a lack of sufficient data security has meant that, just in the last few months, significant property transaction funds have fallen prey to fraud [1].

Real risks: Real estate transaction scams

In what are being described as some of the most worrying scams seen by the SRA, fraudsters are hacking into law firm e-mail accounts and intercepting e-mails between solicitors and their clients and between solicitors and their counterparts in conveyancing transactions.

Despite heightened awareness of, and action to combat, money laundering and ID fraud, it is nevertheless commonplace today for entire transactions to take place electronically. Increasingly, ID checks can be carried out via eVerification, which means that sensitive personal data is communicated electronically from the outset. Even where solicitors and clients meet face-to-face initially, the bulk of conveyancing transactions, whether residential or in a commercial real estate context, are conducted almost entirely over e-mail. Initial instructions and seller’s information packs contain personal and financial data for clients; and pre-exchange and pre-completion advice contain solicitors’ bank account details and payment instructions.

In one recent case which hit the headlines, hackers intercepted e-mails between a solicitor and client. Posing as the solicitor, the hacker then sent an e-mail telling the client that the firm’s usual client account was being audited, and so completion monies should be sent to an alternative account (that account being, of course, one of the fraudsters’ own). Very many people receiving such a message from the solicitor with whom they had conducted almost an entire transaction via e-mail would, at that point, simply transfer monies to the new account without question. The client in this particular case was more astute than most might be, and it asked the solicitor for confirmation of their unique client reference to try to ascertain whether the request was genuine. However, the hackers were several steps ahead. Because they had gained access to the solicitor’s whole e-mail account, they had all of the transaction communications to hand and so they sent a reply with the correct details. The client therefore transferred nearly £300,000 to the fraudsters directly.

In another case the hackers posed as the seller-client and sent pre-completion ‘instructions’ giving their own account as the destination to which the proceeds of sale – again, some £300,000 – should be sent. The solicitors duly acted as ‘instructed’ and the completion monies were sent to the criminals’ account.

Similar cases have occurred where hackers have monitored conveyancing transactions and then posed as the seller’s solicitor and substituted their own bank details for receipt of completion monies in place of the actual seller’s solicitor’s account.

Liability lottery

When conveyancer hacking strikes, there are multiple victims. Clients lose money; transactions fall through; law firms can be on the hook if there is any valid criticism of their actions or their data security measures (or lack thereof) [2]; bank account providers can be in line to reimburse clients’ losses; professional indemnity insurers can be forced to pay out where their insureds are at fault; and police time and resource is put to chasing money that has disappeared and criminals that are faceless. Time and money can be lost and stress can be suffered, not only by virtue of the fraud itself, but also in any subsequent arguments as to where liability to compensate might lie.

Combating conveyancing cybercrime

So, what can be done to minimise the risks?

• Clients should be advised of the risks. It will always be in the clients’ interests to avoid fraud and if they are alive to the risks they can help. Furthermore, all bank account-holding clients will be subject to obligations not to write down or tell others their passwords or PINs and to the general obligation to take care of their account details. A failure to take care on the part of the client could ultimately jeopardise any subsequent compensation claim.
• Where possible, meet and speak, rather than always communicating by e-mail. This can be particularly valuable when it comes to undertaking initial ID/anti-money laundering checks and providing or exchanging sensitive personal or financial information, documents and bank account details. Be extremely cautious of giving any sensitive information electronically.
• Parties can be asked to provide, at the outset of a conveyancing transaction, copies of bank statements for the destination accounts into which completion monies will be paid. Dormant or otherwise unusual-looking accounts should be treated with caution.
• Lawyer Checker can be used to verify solicitors’ accounts.
• Buyers and sellers should specifically advise at the outset that they will not be changing their bank account during the transaction or prior to completion.
• Bank account details should be confirmed in person or on the telephone. This should include asking security questions to which only the genuine party or solicitor would know the answer.
• Any instructions that are given to change bank account or payment details should be treated with the utmost caution, investigated thoroughly and ideally confirmed in person.
• Where time allows, corresponding via letters and faxes might be more secure than using e-mail.
• Where electronic communication is essential, encrypted e-mails and password protected portals offer a much greater level of data security.
• All IT and communication devices should be properly protected with adequate security software, which is updated regularly.
• Legal and financial firms dealing in conveyancing transactions should have clear policies and procedures in place for dealing with the risk of fraud. All staff involved with any stage of the conveyancing process should be made aware of the risks and trained on the firm’s policies and safeguards.
• If you do find yourself a victim of this type of fraud you should immediately notify the police. They may be able to recover some of the stolen monies and potentially take action against the fraudsters.
• In addition, you should seek immediate specialist legal advice. Walker Morris’ Banking Litigation team has significant expertise in fraud claims and would, if necessary, be able to urgently initiate a freezing injunction to try to preserve stolen monies in the fraudsters’ bank account(s) and to pursue tracing claims and civil action to recover lost funds.

WM Comment

As professional and regulatory requirements for ascertaining the identity of clients have become increasingly rigorous, not least within the financial and legal sectors, so fraud techniques have become increasingly prevalent and sophisticated. With the rise of e-conveyancing and a decline in face-to-face dealings, this trend looks set to continue. Unless firms and institutions engaging in real estate transactions take urgent and adequate action, it seems that they and their professional indemnity insurance policies – not to mention their clients – are highly vulnerable.

If you would like any advice or assistance in relation to conveyancing fraud or any other matter, please do not hesitate to contact any member of Walker Morris’ Litigation and Dispute Resolution team.

____________________

[1] It has been documented in the press that several hundred thousand pounds in conveyancing funds have been subject to this type of fraud in recent months. Almost certainly there will be more, but it is likely that any professional indemnity insurance payouts to reimburse client-victims will be covered by confidentiality arrangements.

[2] The SRA’s view, in connection with this type of fraud, is that firms are responsible for safeguarding client funds and must replace any money that is improperly withheld or withdrawn from a client account.