This guest article, written by Susan Hopcraft, was originally published on www.wrighthassall.co.uk. The author’s views are entirely her own and may not reflect the views of IT Governance.
BBC Panorama reported on how easy it is to hack into computers and websites. Ostensibly about the TalkTalk hacking, the programme also reported on the alarming case of someone whose email account was hacked to divert a significant sum of money that was supposed to be used to buy a house. We all want the convenience of email, but in a climate where cyber crime is increasing (and, it seems, easy) everyone needs to be guarded in the way we use it for high-value financial transactions.
Other similar conveyancing frauds, where email accounts have been hacked and huge sums of money stolen, have been reported since early 2015 and it seems to be increasing.
Hacking fraud in property transactions
This is how it works, taking just two of the examples reported recently in the national press. The first example was a property sale, the second a property purchase, but in both cases the fraudsters intercepted the emails between a solicitor and client.
In the first case the solicitor had asked, by email, where the client wanted the sale proceeds to go. The client replied with the bank account number and sort code. It seems that this email was hacked, probably through a phishing scam, Trojan or because the client used the same credentials on another service that had been hacked. A quick search through their emails would have brought the opportunity to the criminals’ attention. Using the email address from the client, they posed as the client and sent an email to the solicitors asking for the sale proceeds to be sent to a different account number. When the sale completed, the solicitors sent the £330,000 to the fraudsters’ bank account.
In the second case £299,000 was stolen. The money was intended to be used to buy a property. The solicitors acting on the purchase gave their clients their account details, confirmed in an email. Shortly before the sale, someone posed as the buyers’ solicitor and emailed the client – from what looked like the same email account – notifying them of a change in the bank account details. The fake email was supported by the unique client number that the solicitors had allocated, which lent credence to the forged email (but that was information gleaned from the hacked email account, too). Confident in the reliability of the fake email, the buyers duly sent the purchase monies to that account, which was of course the one set up by the fraudsters.
What to do if you are a victim
To recover the funds, the first action is immediately to notify the bank to freeze the rogue account. In many cases this is effective to recover some of the cash. However, these types of fraud often take place on Fridays, allowing extra time for the monies to be diverted onwards over the weekend before the receiving party notices the monies have not arrived in the correct bank account as expected. A freezing injunction is possible by application to court, but most banks ought to react swiftly so that a police restraint order or freezing injunction is not needed.
Once an email account is hacked and monies diverted, reassuring (but still fake) emails can be sent by the fraudsters to keep the scammed parties off the trail until all monies have been siphoned away. The moment any suspicious activity is noted, do not rely on your email a moment longer. Speak to the solicitor and/or bank in person urgently.
Who is to blame?
To make the crime work, fraudsters must open bank accounts in false names. The identity checks that are carried out by banks are therefore absolutely crucial. They are not always fool-proof but questions must be asked about what the bank did to verify the account holder on opening the rogue account.
If monies are transferred using account numbers and sort codes alone, then the mismatch between an account holder’s name and the client sending or receiving the money would not be known either by the bank or the solicitor: perhaps a return to using account holders’ names ought to be considered to make the fraudsters’ task harder.
Is the solicitor at fault?
Where monies are being sent from the solicitor, then it is likely that a careful and aware solicitor should have noticed some signs of the fraud before it happened. If a solicitor pays client monies to a third party, against instructions and in circumstances where they ought to have known better, then they are liable to repay the funds. Examples of the things that solicitors should react to and stop the transaction might be odd email addresses, strange (i.e. forged) email exchanges with their client, late notification of a change to the payee bank account or possibly other documents that do not appear to be genuine. Any combination of these ‘warning flags’ should trigger suspicion in a prudent solicitor. If a solicitor carries on and transfers money against that backdrop, and the cash goes to a fraudster, then there is likely to be a claim against them.
The distress caused when life savings go missing must be intolerable. In the cases reported, the people involved were left with an agonising wait whilst the banks tried to recover the stolen funds. Not all of the monies were captured before they disappeared in cash withdrawals or by transfer overseas, but our experience in dealing with conveyancing and fraud claims over many years is that there is likely to be some recovery due from the solicitors involved if they paid monies out. Solicitors have a clear duty to protect client funds and they should have insurance to cover losses in these situations.