Within the legal sector, conveyancing tends to be the most popular area for cybercrime to occur.
The large sums of money involved coupled with the often remote nature of the transaction mean it is a common target for fraudsters, with more and more cases being highlighted in the media.
Whilst stealing an individual’s identity is one method scammers use to steal proceeds of sale, a more salubrious technique being utilised is email interception. The scheme is now one which has occurred so frequently, it has been featured on mainstream media, highlighting the potential risks consumers face. It tends to involve a client and conveyancer email correspondence and prior to funds being transferred, the fraudster will intercept. Posing as the legal firm, they will usually state that the bank account details have changed.
An individual who fell victim to this kind of conveyancing theft was Howard Mollett. The charity worker was in the process of purchasing his first home when a scammer hacked into emails between him and his conveyancing solicitor, resulting in his life savings of £67,000 being stolen.
Mollett stated that on the one-bedroom flat he was buying, he had already signed up to a mortgage and contracts had been exchanged. In order to ensure the purchase didn’t fall through, he’d had to borrow money from his father and sister.
He voiced his distress in regards to the loss of his father’s contribution: “My dad is 72, has had health issues for a number of years and was supposed to retire in December, but has had to postpone that now as his nest egg is gone. As a consequence, my parents may have to sell their home.”
The solicitors and Mollett both believe the other is at fault. In order to contact Mollett, the scammers used the email address of a staff member at the solicitors. This prompted him to state that the evidence points to the solicitors being hacked as opposed to him.
Middlesex-based Sethi Partnership Solicitors contested this, however. They uphold the notion that it was in fact “Mr Mollett’s own careless actions that led to his loss”. They deny that their IT systems had any flaws but also stated that banks “should take more responsibility”. In a recent response to this issue, the Payments Systems Regulator stated that although compensation from banks is unlikely to be an obligation, greater cooperation is needed.
The SRA stated that this type of fraud, involving homebuying cash, was commonly known as “Friday Afternoon Fraud”. As most completions occur on a Friday, scammers will tend to see this as an extended window of opportunity to commit fraud and avoid being detected.
When the fraudsters targeted Mollett, he was in the final stages of buying a flat in South London. He appointed the Sethi Partnership as his conveyancing solicitors following a recommendation of his mortgage adviser.
The offer on the flat was accepted in April 2016.
He transferred £45,000 from his Barclays account to the legitimate HSBC account of the solicitor on 29th September. Due to a warning from his bank regarding the clearance time of the funds, Mollett emailed the solicitors in order to establish the best way to transfer the money so his completion date was not missed. This amounted to a total of £74,837 and covered stamp duty, various fees and the remaining deposit.
This was the stage where the scammers contacted Mollett. By using the email of a staff member at the solicitors, the scammer stated that the usual bank account of the firm was unable to receive CHAPS or BACS payments and told him to pay the money into a Yorkshire Bank account.
Unaware that the emails had been hijacked, Mollett transferred funds of £42,000 to the Yorkshire Bank account, followed by an email to confirm he had made the payment. The scammers sent a reply posing as the firm, stating that they had received his email.
He sent a further £25,000 into the Yorkshire Bank account on 1st October, with the scammers confirming receipt once more.
Another email was sent to Mollett the next day purporting to be from the firm. Actually authored by the fraudsters, it stated that the final funds should be transferred to a NatWest account, leading Mollett to send £7,837 to this account.
When he received an email from the Sethi Partnership stating that they had only received the first £45,000, Mollett realised something was wrong. Having spoken to all banks involved, only the £7,837 sent to NatWest was recoverable as the transfer was frozen. None of the £67,000 sent to Yorkshire Bank has been returned to him.
Following the scam, Mollett was put in touch with a specialist in cyber-security who offered him free guidance. Wishing to remain anonymous, the expert commented on the email chain and how the scammer was able to intercept correspondence:
“The analysis indicates that a fraudster gained access to [the named Sethi employee’s] email account, most likely via her webmail, where the fraudster modified and rerouted the emails from her account … The analysis showed that it was not Howard Mollett’s email that was hacked. Instead, he received valid, authentic emails coming from [the employee’s] email account, which were authored by the fraudster.”
In regards to compensation, a lawyer offered to help Mollett pro bono and wrote to the Sethi Partnership, stating a client’s confidentiality had been breached.
According to Mollett, the fact that the emails originated from an existing chain of correspondence meant he didn’t query their authenticity.
Around the time the crime was revealed, the firm placed a warning at the bottom of its emails indicating the particular risks posed by this kind of cyber-theft. It pointed out the “significant risk posed by cyber fraud, specifically affecting email accounts and bank account details. Please note that this firm’s bank account details will not change during the course of a transaction and we will not change our bank account details via email … We will not accept responsibility if you transfer money into an incorrect bank account.” It is interesting to consider how events would have unfolded differently if this warning had been introduced sooner.
Mollett stated: “If only they had given such a warning of these risks before the crime happened.”
Commenting on this kind of crime, the SRA highlighted the need for firms to make clients conscious of risks and how to prevent similar situations from occurring:
“We also want to see firms making sure their clients are aware of the risks. For instance, we would recommend that people avoid sharing bank details over email, or transferring money before confirming the source of any request.”
Giving a statement, the Sethi Partnership denied fault on their part, highlighting the security of their own systems:
“Our view is that the situation arose largely due to the carelessness of Mr Mollett.
“..he regularly uses internet access from various unsecured locations, leaving his computer vulnerable to hacking … In comparison, our systems have a significant amount of security … Therefore we are confident at this stage that the security of our IT systems have not been breached, and vulnerabilities are with Mr Mollett’s own systems.”
As Mollett was an existing client with the firm, they stated he was aware that they only had one account and that was with HSBC.
“We never disclose our bank details in email communication … Clearly Mr Mollett should have been more vigilant and checked the details before making the transfer to an unknown account name.”
The banks involved have also given comment on the case, but although express sympathy, are unable to provide a remedy to Mollett.
A spokesman from Yorkshire Bank stated: “We were very sorry to hear that Mr Mollett has been the victim of a fraud having received a number of fraudulent emails from criminals.”
He further commented on the measures the Bank are using to help prevent future crimes of this nature: “We work hard to ensure our customers are aware of the steps they can take to protect themselves. We are also collaborating with the Joint Fraud Taskforce which has been set up to tackle fraud in the UK. We enforce a range of fraud prevention measures during both account opening and throughout the relationship.”
Barclays wrote to Mollett as well as giving general comment on the matter. A spokesman told the Guardian: “This scam is a tragic case of criminal theft by a fraudster hacking and amending a solicitor’s emails, meaning Mr Mollett paid funds to the fraudster rather than the intended recipient, his solicitor. We have every sympathy with Mr Mollett and acted swiftly to try to recover funds at the time this was reported.”
This type of crime is becoming increasingly common and despite growing media attention, clients are still falling victim to conveyancing fraud of this nature. Due to the technological advances and increased knowledge of conducting scams, fraudsters are able to develop techniques which can be highly difficult to detect. Increasing client awareness in regards to possible risks is therefore more important than ever.
As well as protecting their money and building a trustworthy relationship, it ensures the transaction processes smoothly and minimises risk exposure for both parties.
