4th September 2015
Money laundering… mortgage fraud… now conveyancer hacking. Walker Morris’ Banking Litigation specialist explains the latest fraud risk of which lenders, borrowers, conveyancers and the general public should be aware.
Many of us are familiar with ‘phishing’. This is the means by which fraudsters acquire sensitive information, such as bank account details, by posing as a known or trustworthy entity in an electronic communication. We are alive to the risks to a certain extent, and we generally think twice before revealing sensitive or financial details online or in response to unexpected or unsolicited correspondence.
One of the latest pools in which fraudsters have decided to phish, however, is that of the e-mail accounts of real estate conveyancing solicitors. It seems that this has been a lucrative recent development for cybercriminals because a combination of ignorance of the risks; the general public’s rightful trust in solicitors’ firms and the conveyancing process; the tempting prospect of purchase monies; and a lack of sufficient data security has meant that, just in the last few months, significant property transaction funds have fallen prey to fraud [1].
In what are being described as some of the most worrying scams seen by the SRA, fraudsters are hacking into law firm e-mail accounts and intercepting e-mails between solicitors and their clients and between solicitors and their counterparts in conveyancing transactions.
Despite heightened awareness of, and action to combat, money laundering and ID fraud, it is nevertheless commonplace today for entire transactions to take place electronically. Increasingly, ID checks can be carried out via eVerification, which means that sensitive personal data is communicated electronically from the outset. Even where solicitors and clients meet face-to-face initially, the bulk of conveyancing transactions, whether residential or in a commercial real estate context, are conducted almost entirely over e-mail. Initial instructions and seller’s information packs contain personal and financial data for clients; and pre-exchange and pre-completion advice contain solicitors’ bank account details and payment instructions.
In one recent case which hit the headlines, hackers intercepted e-mails between a solicitor and client. Posing as the solicitor, the hacker then sent an e-mail telling the client that the firm’s usual client account was being audited, and so completion monies should be sent to an alternative account (that account being, of course, one of the fraudsters’ own). Very many people receiving such a message from the solicitor with whom they had conducted almost an entire transaction via e-mail would, at that point, simply transfer monies to the new account without question. The client in this particular case was more astute than most might be, and it asked the solicitor for confirmation of their unique client reference to try to ascertain whether the request was genuine. However, the hackers were several steps ahead. Because they had gained access to the solicitor’s whole e-mail account, they had all of the transaction communications to hand and so they sent a reply with the correct details. The client therefore transferred nearly £300,000 to the fraudsters directly.
In another case the hackers posed as the seller-client and sent pre-completion ‘instructions’ giving their own account as the destination to which the proceeds of sale – again, some £300,000 – should be sent. The solicitors duly acted as ‘instructed’ and the completion monies were sent to the criminals’ account.
Similar cases have occurred where hackers have monitored conveyancing transactions and then posed as the seller’s solicitor and substituted their own bank details for receipt of completion monies in place of the actual seller’s solicitor’s account.
When conveyancer hacking strikes, there are multiple victims. Clients lose money; transactions fall through; law firms can be on the hook if there is any valid criticism of their actions or their data security measures (or lack thereof) [2]; bank account providers can be in line to reimburse clients’ losses; professional indemnity insurers can be forced to pay out where their insureds are at fault; and police time and resource is put to chasing money that has disappeared and criminals that are faceless. Time and money can be lost and stress can be suffered, not only by virtue of the fraud itself, but also in any subsequent arguments as to where liability to compensate might lie.
So, what can be done to minimise the risks?
As professional and regulatory requirements for ascertaining the identity of clients have become increasingly rigorous, not least within the financial and legal sectors, so fraud techniques have become increasingly prevalent and sophisticated. With the rise of e-conveyancing and a decline in face-to-face dealings, this trend looks set to continue. Unless firms and institutions engaging in real estate transactions take urgent and adequate action, it seems that they and their professional indemnity insurance policies – not to mention their clients – are highly vulnerable.
If you would like any advice or assistance in relation to conveyancing fraud or any other matter, please do not hesitate to contact any member of Walker Morris’ Litigation and Dispute Resolution team.
____________________
[1] It has been documented in the press that several hundred thousand pounds in conveyancing funds have been subject to this type of fraud in recent months. Almost certainly there will be more, but it is likely that any professional indemnity insurance payouts to reimburse client-victims will be covered by confidentiality arrangements.
[2] The SRA’s view, in connection with this type of fraud, is that firms are responsible for safeguarding client funds and must replace any money that is improperly withheld or withdrawn from a client account.