Solicitor fined for failing to spot Friday afternoon cyber fraud
Friday afternoon fraud
A solicitor with decades of experience agreed to pay £26,000 in fines and costs after admitting being duped into transferring more than £290,000 to a hacker.
Acting for a local company on a property sale, exchange took place with completion scheduled for four weeks later.
Between exchange and completion, the email traffic between solicitor and client was intercepted in a targeted cybersecurity attack.
The day before completion, the solicitor received an email from a slightly different email address asking that the sale proceeds be transferred to a different bank account.
The solicitor, quite properly, responded that they would need telephone confirmation from the client of the changed instructions.
Instead, a further email was received, reconfirming the amended account details. The solicitor agreed to send the funds the following Monday.
The situation only came to light when the bank notified the solicitor nearly two weeks later that it had concerns about the recipient account.
The client had not complained or raised any other issues but confirmed that no funds had been received.
The Solicitors Disciplinary Tribunal (SDT) noted that, despite the bank raising suspicions, the solicitor only reported the loss to their insurers.
The solicitor said that as the client was “quite relaxed”, they did not report the matter to the Solicitors Regulation Authority (SRA) or the police for three months, by which time the funds had been replaced by insurers.
The SDT’s findings
Although the case included other allegations regarding the solicitors’ accounts systems, the SRA placed particular emphasis on the fact there was a clear breach of the duty to protect client money and assets.
Given the client had not been pressing for payment, the SRA suggested the solicitor had plenty of time to get confirmation of the changed bank details by phone or in person.
As an experienced conveyancer, the last-minute change in instructions was a red flag the solicitor shouldn’t have missed.
It was neither necessary nor prudent to send the full funds to the new account on the next business day.
In approving an outcome agreed between the SRA and the solicitor, the SDT found that the solicitor should have known the circumstances were suspicious and worthy of proper investigation to prevent fraud.
The SDT found the failure to insist on additional verification measures particularly troubling “given the critical importance of such steps to counter fraud and attempted criminality”.
Although there was no question of dishonesty or lack of integrity on the solicitor’s part, guidance published by the SRA makes clear that there is an expectation that solicitors report such cases, even where fraudulently obtained or stolen money has been replaced.
The solicitor was fined £10,000 and ordered to pay costs of £16,000.
Preventing cyber fraud
All solicitors should be aware of the risk of ‘Friday-afternoon fraud’: targeted attacks on homebuyers and conveyancers when property conveyancing transactions are completed.
Email modification fraud is the most common type of cyberattack reported to the SRA, accounting for 68% of reports in 2020.
Having adequate safeguards to verify the identity of email senders and raising awareness amongst staff and clients are key defences against this type of cyberattack. This includes the following:
1. Train staff to spot signs of a potentially fraudulent email
Ask:
- are you expecting this email?
- does it change your instructions?
- why are bank details being provided in this way?
- is the email address correct (including the domain name)?
- are there hidden details in the email (embedded links, unknown or similar email addresses)?
2. Raise awareness with clients
Speak with clients about your processes and procedures:
- warn clients that you would never change your bank details by email
- educate clients about the risks of cyber fraud
- ensure your staff feel confident about querying and checking payment transfer requests even under pressure
3. Identify the contact
Ensure you:
- pick up the phone and avoid calling numbers in any email containing red flags
- take the time to be certain of client details — time pressure is often a factor in making mistakes
- get bank details at a face-to-face meeting or verify them by phone early on
- be clear that email changes will not be accepted without direct confirmation from a named contact
4. Know your reporting requirements
If a suspect transaction goes through, you need to consider your reporting obligations immediately. You will need to inform:
- your bank
- the National Fraud and Cyber Crime Reporting Centre on 0300 123 2040
- your professional indemnity insurer
- the SRA on 0121 329 6827 or email fraud@sra.org.uk
5. Get advice from the Law Society
If you are a member of the Law Society, you will be able to access a range of resources that can help you to identify a way forward, including:
- cybersecurity guidance that explains the support available for solicitors and firms
- information on whether to purchase cyber insurance as a sensible precaution
- free and confidential support from a fellow solicitor through the Practice Advice Service
I want to know more
Cybercrime generates billions of pounds for criminals each year, and the numbers are increasing.
The Law Society partners with Mitigo to provide expert cybersecurity insights and protection for law firms. Explore its offer, including how members of the Law Society can also benefit from a 10% discount.
You can complete a short, confidential, and free assessment with Mitigo to identify how your firm may be vulnerable to a cyberattack.
Mitigo's service provides independent assurance, giving you confidence that you are complying with your legal and regulatory obligations, and keeping your firm and your clients safe.