Solicitor Conveyancing Scam - HELP! (life savings lost!?)
Discussion
I am sorry for your sister, hope it quickly gets resolved for her.
I always come back to the same point on all of these events, the organisation who should immediately refund the money should be the bank to which the funds were initially transferred. They have allowed an account to operate that is a party to fraud. On this occasion was it a UK account.
I always come back to the same point on all of these events, the organisation who should immediately refund the money should be the bank to which the funds were initially transferred. They have allowed an account to operate that is a party to fraud. On this occasion was it a UK account.
OP, you may find these links of interest.
http://www.sra.org.uk/risk/resources/information-s...
http://www.sra.org.uk/solicitors/code-of-conduct/g...
http://www.sra.org.uk/risk/outlook/priority-risks/...
It is not clear to me what meaningful preventative steps, if any, the SRA is taking over this issue. Just sending out warnings is not good enough.
If a solicitor cannot demonstrate that they have effective safeguards in place there needs to be an immediate punitive sanction.
A slap on the wrist fine may not be sufficient incentive.
The prospect of being banned from handling client's money (for third party transactions) would surely concentrate their mind.
I wonder how many solicitors have actually got ther s**t together re GDPR.
http://www.sra.org.uk/risk/resources/information-s...
http://www.sra.org.uk/solicitors/code-of-conduct/g...
http://www.sra.org.uk/risk/outlook/priority-risks/...
It is not clear to me what meaningful preventative steps, if any, the SRA is taking over this issue. Just sending out warnings is not good enough.
If a solicitor cannot demonstrate that they have effective safeguards in place there needs to be an immediate punitive sanction.
A slap on the wrist fine may not be sufficient incentive.
The prospect of being banned from handling client's money (for third party transactions) would surely concentrate their mind.
I wonder how many solicitors have actually got ther s**t together re GDPR.
Dixy said:
I am sorry for your sister, hope it quickly gets resolved for her.
I always come back to the same point on all of these events, the organisation who should immediately refund the money should be the bank to which the funds were initially transferred. They have allowed an account to operate that is a party to fraud. On this occasion was it a UK account.
This assumes the account owner is in control of the account. I've seen CEO scams using bank accounts that have been compromised by the fraudsters in much the same way as the email systems have been. This is serious, relatively sophisticated crime - not your indiscriminate "plz to be logging into PayPal" phishing emails.I always come back to the same point on all of these events, the organisation who should immediately refund the money should be the bank to which the funds were initially transferred. They have allowed an account to operate that is a party to fraud. On this occasion was it a UK account.
Bear in mind it might not strictly be the solicitors systems that have been hacked, it could be whoever provides their email services. it would be unusual nowadays I think for a solicitors to be operating their own mail server in their office, more likely is that they have some shonky local company providing hosted email.
The most likely scenario is that one of the employees of the solicitors either has a weak password, or has been phished, and have revealed their password to the fraudsters, who have been reading and/or intercepting their email for some time. They might even have a vulnerable webmail interface.
This is why ultimately this will be a bit of a slog to resolve because everyone will blame everyone else. I think only the bank (her bank) has plausible deniability, as they have simply acted on instructions given to them. They would not have known the recipient bank account was compromised or owned by the fraudsters.
Sadly there are many stories where people have purportedly failed to get money back, a cursory Google search reveals many such cases:
https://www.theguardian.com/money/2017/oct/21/coup...
https://www.theguardian.com/money/2017/jan/14/lost...
https://www.thetimes.co.uk/static/connected-famili...
One thing is certain, the money will have already been moved out of the recipient account so is to all intents and purposes "lost". I wouldn't dwell on the hope that it might still be available somewhere, because it won't be. These criminals are on the ball when it comes to this stuff.
The most likely scenario is that one of the employees of the solicitors either has a weak password, or has been phished, and have revealed their password to the fraudsters, who have been reading and/or intercepting their email for some time. They might even have a vulnerable webmail interface.
This is why ultimately this will be a bit of a slog to resolve because everyone will blame everyone else. I think only the bank (her bank) has plausible deniability, as they have simply acted on instructions given to them. They would not have known the recipient bank account was compromised or owned by the fraudsters.
Sadly there are many stories where people have purportedly failed to get money back, a cursory Google search reveals many such cases:
https://www.theguardian.com/money/2017/oct/21/coup...
https://www.theguardian.com/money/2017/jan/14/lost...
https://www.thetimes.co.uk/static/connected-famili...
One thing is certain, the money will have already been moved out of the recipient account so is to all intents and purposes "lost". I wouldn't dwell on the hope that it might still be available somewhere, because it won't be. These criminals are on the ball when it comes to this stuff.
All to common and having only recently completed this was high on my agenda.
Lucky my solicitors are on the ball at least it appears externally.
There is one slight nuance here though that they included a phone number in the email to check the details which is a slight change. Unfortunately most solicitors only say to call to check.
Critically the problem there is really you need to phone a number that is trusted and not from the email purporting to be from them which could say anything.
As an aside mine included a part account number and sort in one snail mail and then the other via a phone number! At least it appears more secure.
Lucky my solicitors are on the ball at least it appears externally.
There is one slight nuance here though that they included a phone number in the email to check the details which is a slight change. Unfortunately most solicitors only say to call to check.
Critically the problem there is really you need to phone a number that is trusted and not from the email purporting to be from them which could say anything.
As an aside mine included a part account number and sort in one snail mail and then the other via a phone number! At least it appears more secure.
Durzel said:
This assumes the account owner is in control of the account. I've seen CEO scams using bank accounts that have been compromised by the fraudsters in much the same way as the email systems have been. This is serious, relatively sophisticated crime - not your indiscriminate "plz to be logging into PayPal" phishing emails.
That is too clever for me, I still see it as the receiving banks problem, either they did not ensure the operator was correct or that they did not their system being compromised.The Banks want us to bacs everything as it makes them a fortune and lets them close branches. Sort it out or pay up.
Durzel said:
The most likely scenario is that one of the employees of the solicitors either has a weak password, or has been phished, and have revealed their password to the fraudsters, who have been reading and/or intercepting their email for some time. They might even have a vulnerable webmail interface.
I hate it when they describe employee naivety as "being hacked".All it does is create an irrational fear of these mysterious internet criminals and doesn't address the true cause of the problem (the one that sits between the char and the keyboard).
If they'd actually look at the true root cause, they'd be able to train their staff better.
Instead they'll call in the IT support, who will make a killing selling them new stuff they don't need, and the same thing will happen again 6 months later.
Durzel said:
Bear in mind it might not strictly be the solicitors systems that have been hacked, it could be whoever provides their email services. it would be unusual nowadays I think for a solicitors to be operating their own mail server in their office, more likely is that they have some shonky local company providing hosted email.
The most likely scenario is that one of the employees of the solicitors either has a weak password, or has been phished, and have revealed their password to the fraudsters, who have been reading and/or intercepting their email for some time. They might even have a vulnerable webmail interface.
This is why ultimately this will be a bit of a slog to resolve because everyone will blame everyone else. I think only the bank (her bank) has plausible deniability, as they have simply acted on instructions given to them. They would not have known the recipient bank account was compromised or owned by the fraudsters.
It doesn't matter if the hosting company is to blame or the solicitors. Under GDPR the data controller (solicitors) and the data processor (hosting company) are jointly liable.The most likely scenario is that one of the employees of the solicitors either has a weak password, or has been phished, and have revealed their password to the fraudsters, who have been reading and/or intercepting their email for some time. They might even have a vulnerable webmail interface.
This is why ultimately this will be a bit of a slog to resolve because everyone will blame everyone else. I think only the bank (her bank) has plausible deniability, as they have simply acted on instructions given to them. They would not have known the recipient bank account was compromised or owned by the fraudsters.
Ninja59 said:
All to common and having only recently completed this was high on my agenda.
Lucky my solicitors are on the ball at least it appears externally.
There is one slight nuance here though that they included a phone number in the email to check the details which is a slight change. Unfortunately most solicitors only say to call to check.
Critically the problem there is really you need to phone a number that is trusted and not from the email purporting to be from them which could say anything.
As an aside mine included a part account number and sort in one snail mail and then the other via a phone number! At least it appears more secure.
I agree, but the problem is there is next to no education about this stuff, and no drive at all from government or anyone else to get people educated.Lucky my solicitors are on the ball at least it appears externally.
There is one slight nuance here though that they included a phone number in the email to check the details which is a slight change. Unfortunately most solicitors only say to call to check.
Critically the problem there is really you need to phone a number that is trusted and not from the email purporting to be from them which could say anything.
As an aside mine included a part account number and sort in one snail mail and then the other via a phone number! At least it appears more secure.
As you've found out your solicitor is on the ball, but others won't be, particularly small ones. Likewise many (most?) people put far too much faith in emails and often don't realise how easily they can be spoofed. The entire architecture of email is woeful when it comes to application of standards. There is stuff that seeks to provide assurance of authenticity (e.g. SPF, DKIM, etc) but application and enforcement of these standards is patchy at best. And it wouldn't have helped in this situation either.
The problem with conveyancing scams in particular is that there is pressure on the recipient to respond quickly to requests for deposits and the like. If an email looks identical to ones they have previously received (signatures, etc) then I can see why people would fall for them. If it contains lots of personally identifiable information that you know (or think) only the authentic solicitor could have, then it gives credibility to it. That's how these things work.
dave_s13 said:
All solicitors are required by the SRA to have indemnity insurance in place so if it came to it you will have a somewhere to claim from (even if they suddenly went bust).
Monumentally stressful as it is you will get your money back eventually.
They are required to have Professional Indemnity. The insurance covers customers losses following the negligence of the solicitor, if they receive bad advice or the solicitor makes an error on paperwork that costs the customer money. Monumentally stressful as it is you will get your money back eventually.
I'm not at all sure it would cover a cyber attack, and even if it did, you'd need to show the solicitor had been negligent. I don't think it's as clear cut as you are making out.
This is a well known scam. We completed in December '17. Quite early in the process our conveyancing solicitor made us aware that this scam was common and gave us paperwork with the account details to be used for transfers. We were told ONLY to use those details, that they would not be changing. They explained that they never send account details by email. If we ever received an email with account details, we could be sure it was fraudulent and we should contact them immediately by telephone.
I would suggest that if your sister's conveyancing solicitor did not take a similar approach, they have been negligent.
I would suggest that if your sister's conveyancing solicitor did not take a similar approach, they have been negligent.
mikeveal said:
This is a well known scam. We completed in December '17. Quite early in the process our conveyancing solicitor made us aware that this scam was common and gave us paperwork with the account details to be used for transfers. We were told ONLY to use those details, that they would not be changing. They explained that they never send account details by email. If we ever received an email with account details, we could be sure it was fraudulent and we should contact them immediately by telephone.
I would suggest that if your sister's conveyancing solicitor did not take a similar approach, they have been negligent.
Proving negligence is harder than simply saying it though.I would suggest that if your sister's conveyancing solicitor did not take a similar approach, they have been negligent.
What standard is there that solicitors have to abide by that mandates they do this? It seems as if your solicitor was very switched on. Another solicitor might recommend a different strategy - e.g. phone calls only (which aren't necessarily safe either). Another solicitor might not do any of these things and simply suggest in general terms that the client needs to be "on the ball" (that certainly seems to be the case here). The way your particular solicitor did it is a scheme they've done off their own back, rather than it being legally required of them.
Proving negligence in the legal sense of the word in the absence of a required standard for communicating with clients might be difficult.
Dixy said:
I always come back to the same point on all of these events, the organisation who should immediately refund the money should be the bank to which the funds were initially transferred. They have allowed an account to operate that is a party to fraud. On this occasion was it a UK account.
That's a can of worms as it would encourage people to pretend they'd been defrauded. There's also be less incentive to take care.In banking terms the OP's sister's loss (the balance of a deposit) probably isn't that great. The banking system has to work smoothly and efficiently - even in my little company we're regularly doing 5 and 6 figure transfers and it can be a right pain in the ass if they get held up.
mcflurry said:
Surely it has to be the conveyance company who were hacked?
What are the odds of a scammer sending an email to a random person, in the same format as a specific solicitor, at the same time you're buying a house?
That's not in dispute. Of course they were hacked, Op said so in his first post?What are the odds of a scammer sending an email to a random person, in the same format as a specific solicitor, at the same time you're buying a house?
TwigtheWonderkid said:
mcflurry said:
Surely it has to be the conveyance company who were hacked?
What are the odds of a scammer sending an email to a random person, in the same format as a specific solicitor, at the same time you're buying a house?
That's not in dispute. Of course they were hacked, Op said so in his first post?What are the odds of a scammer sending an email to a random person, in the same format as a specific solicitor, at the same time you're buying a house?
Thank you to all those who have been kind enough to contribute, it is appreciated.
I've been trying to liaise with my sister for updates through the day, plus feedback the good advice in this thread (difficult to do between patients!)
Update:
- Bank have frozen the account but can't comment on the state of play re contents.
- The partner from the law firm has spoken to my sister. He states he got their 'IT Team' to check their systems and reportedly no breach from their end (but they would say that
).
Of course, this is the major sticking point.
There is information in the scam email that was never discussed previously on any email trail. This suggests that it was not her account that was hacked. The information used to compose the scam email must have obtained through the solicitor. Reportedly when she mentioned this to him, he went rather quiet.
A point of note: when she got the scam email, my sister actually called the solicitor to ask about it and this reported change of accounts
As I mentioned the law firm has recently gone through a merger. When asked about the account change, the solicitor she'd been dealing with made noises to the effect of "oh yeah, maybe the accounts have been changed with the merger"! (FFS!
). Unfortunately I don't think calls are recorded.
It is interesting that my sister had been dealing with this law firm for months. 3 weeks ago with the merger the solicitor's emails (company wide) was changed to reflect this with '@ the new company name'. I wouldn't be surprised if this was the window of opportunity for the hack.
She is going to get in touch with the ICO re the data breach.
Next step:
- I've asked my sister to document all events from last week, every email and every conversation while it's fresh in her mind.
- It seems essential to identify the origin of the 'leak'. This suggests employing some kind of forensic cyber security specialist. Is this something that Action Fraud do as a matter of course or something we will need to do independently? Can the law firm refuse to comply with this request?
- Legal advice? How best to go about this?
I have no doubt in my mind the law firm will do their best to wriggle out of this. I am happy to lawyer up and fight this.
I've been trying to liaise with my sister for updates through the day, plus feedback the good advice in this thread (difficult to do between patients!)
Update:
- Bank have frozen the account but can't comment on the state of play re contents.
- The partner from the law firm has spoken to my sister. He states he got their 'IT Team' to check their systems and reportedly no breach from their end (but they would say that
).Of course, this is the major sticking point.
There is information in the scam email that was never discussed previously on any email trail. This suggests that it was not her account that was hacked. The information used to compose the scam email must have obtained through the solicitor. Reportedly when she mentioned this to him, he went rather quiet.
A point of note: when she got the scam email, my sister actually called the solicitor to ask about it and this reported change of accounts
As I mentioned the law firm has recently gone through a merger. When asked about the account change, the solicitor she'd been dealing with made noises to the effect of "oh yeah, maybe the accounts have been changed with the merger"! (FFS!
). Unfortunately I don't think calls are recorded.It is interesting that my sister had been dealing with this law firm for months. 3 weeks ago with the merger the solicitor's emails (company wide) was changed to reflect this with '@ the new company name'. I wouldn't be surprised if this was the window of opportunity for the hack.
She is going to get in touch with the ICO re the data breach.
Next step:
- I've asked my sister to document all events from last week, every email and every conversation while it's fresh in her mind.
- It seems essential to identify the origin of the 'leak'. This suggests employing some kind of forensic cyber security specialist. Is this something that Action Fraud do as a matter of course or something we will need to do independently? Can the law firm refuse to comply with this request?
- Legal advice? How best to go about this?
I have no doubt in my mind the law firm will do their best to wriggle out of this. I am happy to lawyer up and fight this.
In majority of these cases emails are intercepted on both sides by the person doing the fraud. It would therefore make it possible to know information that previously had not arisen.
I agree with the posts that quoted mine and others on here this is all too easy. Email is a terribly over reliant form of communication that is not in essence "secure".
I think the other issue here which makes this particular form of fraud difficult/different is that is can cross different sections of legal discussions, and can be easily altered/modified to respond to any changes that are introduced to reduce it. But I agree with others you sort of had to know about this scam as it has not reached really much of the outside world beyond people that are more "aware".
For example:
originally most these spoof emails solely relied on email there was no phone this number etc. to confirm it (which is an interesting development in response to many solicitors saying call us).
I agree with the posts that quoted mine and others on here this is all too easy. Email is a terribly over reliant form of communication that is not in essence "secure".
I think the other issue here which makes this particular form of fraud difficult/different is that is can cross different sections of legal discussions, and can be easily altered/modified to respond to any changes that are introduced to reduce it. But I agree with others you sort of had to know about this scam as it has not reached really much of the outside world beyond people that are more "aware".
For example:
originally most these spoof emails solely relied on email there was no phone this number etc. to confirm it (which is an interesting development in response to many solicitors saying call us).
Gassing Station | Speed, Plod & the Law | Top of Page | What's New | My Stuff