Identity fraud is on the rise and conveyancing firms are increasingly preferred targets of online hackers and con-artists. It is not just small, high-street firms that are vulnerable. City firm Mishcon de Reya was found to be liable for breach of trust after its client was duped into buying a London property from a tenant posing as the owner and was ordered by the High Court to pay more than £1 million to the victim. However, a claim for negligence against the firm failed.
According to the Law Society Gazette, the case has sparked widespread confusion over the scope of a due diligence lawyer’s role during the sale and purchase of property transactions and the extent of a firm’s liability in the case of identity fraud.
The decision has been stayed pending an appeal and a decision is being nervously awaited by the legal profession and insurers alike.
There have been multiple cases of hackers intercepting emails and money transactions between conveyancing solicitors and their clients over the last few years. In January 2017, the Guardian reported that a charity worker, Howard Mollett, in the process of buying his first home had £67,000 stolen. Fraudsters contacted Mr Mollett after he emailed his solicitors asking what was the best way to transfer over £74,000 in order to meet the completion date deadline.
According to the Guardian it was at this point the fraudsters, “contacted him, using the email address of the member of staff at the solicitors whom he had been dealing with all through the process – though Mollett was unaware the emails had been hijacked. This email stated that the firm’s usual bank account could not receive Chaps or Bacs payments, and advised him to pay the money into its Yorkshire Bank account.”
What is concerning for all involved in this case is, according to a cyber-security specialist engaged by Mr Mollett, the hackers gained access to the email of an employee of the law firm; most likely through webmail. As Mr Mollett told the Guardian, “This is not someone claiming to be the cousin of the President of Nigeria asking me to wire money to them. And this is not an email address similar to, but one letter different from, my solicitor – it is her email address.”
The SRA’s response to the risk of conveyancing fraud
In December 2016, the SRA stated that people can lose their life savings if a firm’s computer servers are hacked during a transfer and, “[We also] want to see firms making sure their clients are aware of the risks. For instance, we would recommend that people avoid sharing bank details over email, or transferring money before confirming the source of any request.”
The Law Society has stated it may intervene in the Mishcon de Reya appeal as solicitors are complaining that they are ‘baffled’ by the current liability rules and conveyancing fraud is becoming a growing problem.
How conveyancing solicitors can protect themselves and their clients from cyber-attacks
According to the Government Communications Headquarters, up to 80% of cyber-attacks may be prevented if law firms take the following steps to protect themselves and their clients:
- use secure direct logins and online collaboration tools in place of data sticks and email attachments
- keep anti-virus software up-to-date
- only give staff access to the files they need
It is also imperative to educate your clients and develop a relationship with them, so they will be tipped off if they receive any peculiar communication from your firm. Clients should be contacted directly by phone to alert them that monies are being transferred into their account and confirm their bank account details. It is good practice to keep secure records of clients’ email addresses, signatures and bank account details, to allow for quick reference verification.
With conveyancing firms being squeezed ever tighter in terms of longer working hours and completing more transfers to reach turnover targets, it is easy to let practices and procedures slip in favour of getting the job done quickly. As cyber-crimes rise, more firms will find themselves liable, not only to clients, but to their insurers if they cannot provide detailed evidence that they have adequate risk assessments in place to protect everyone involved in a conveyancing transaction.
Unfortunately, fraudsters and hackers are only going to become increasingly sophisticated. To avoid large increases in insurance premiums and SRA fines, solicitors are going to have to be smarter and more diligent than ever when it comes to cyber-security going forward.