Woman scammed out of £95,000 after her solicitor was hacked

Amid all the cyber crime statistics, it can be easy to overlook the everyday effects that scams have on people.

Attacks aren’t just a case of money being lost or organisations being disrupted; they are stories of people undergoing traumatic experiences and dealing with the consequences.

The Guardian’s scams section recently told the story of Sally Flood, who was defrauded out of £95,000 after cyber criminals hacked her solicitor’s email address.

What went wrong

In the run-up to Christmas 2018, Flood was in regular communication with her conveyancing solicitor via email and telephone as she prepared to purchase a property for her children using money that had been left to her in her father’s will.

So, it wasn’t much of a surprise when she received an email that appeared to be from her solicitor asking her to transfer £50,000 to another account.

Flood complied with the request and emailed the solicitor to confirm receipt of the payment. Confirmation quickly came and then, a few days later, she sent over the remaining funds.

It was only when her bank phoned her to say that Lloyds Bank – which the crooks used for their scam – had noticed a discrepancy in the payee name that Flood suspected something was amiss.

She contacted her solicitor, which confirmed that its system had been hacked and that the request for funds had come from a cyber criminal.

What happened next

Flood transferred more than £95,000 into the accounts controlled by the cyber criminals, who promptly withdrew £91,280. The remaining £4,470 was recovered by Lloyds and returned to Flood.

Lloyds commented that “regrettably, as no further funds remain in the receiving accounts, we are unable to recover any more of the money transferred by Ms Flood”.

She was therefore forced to take matters into her own hands, hiring a law firm that specialises in cyber crime. Her lawyers recovered more than half of the stolen money, but that still leaves her £35,000 out of pocket.

Who’s to blame?

Incidents like this demonstrate that scams are rarely caused by one guilty party.

It’s easy to point the finger at the solicitor, as it was its system that was hacked. However, in an era where cyber crime is rampant, it’s hard to accuse the organisation of negligence when it’s not clear how the attack initially occurred.

The most likely scenario is that an employee fell for a phishing scam and handed over their account details.

That’s not the only mistake that could have allowed this scam to happen. Flood acknowledges that she should have been more vigilant before transferring such large sums of money, but she also questioned the role of Lloyds.

“If [Lloyds Bank] can prove they have done everything right, I’d walk away, but I don’t think they have,” she said.

She referred specifically to the fact that two large transfers were quickly withdrawn – something she believed should have rung alarm bells at the bank.

“What I’d like from them is the rest of the money I’ve lost – I’m sure [Lloyds] wouldn’t miss it half as much as I’m missing it. I’m £35,000 down, and I’m sure that’s a drop in the ocean for them, but for me that’s a massive amount of money – it’s life-changing,” Flood said.

Indeed, for the errors made by all three parties, Flood is the only one bearing significant consequences.

This is a familiar story when it comes to cyber crime: people entrust their sensitive information to organisations, and when breaches happen, they are the ones most exposed.

The police are investigating the incident, but it’s unlikely that Flood will be recompensed the rest of the money that she lost.