Don’t email your solicitor if your selling property !
People buying or selling properties should avoid communicating with their solicitors and conveyancers by email, experts warn, as the wave of “Friday afternoon fraud” – where criminals hack into email accounts and divert large payments – continues unabated. The latest victims include Andrew Doyle and Susan Paul, pictured, who have lost more than £200,000 and their future home through a fraud committed over the Easter weekend.
The ruse is dubbed “Friday afternoon fraud” because criminals typically target transactions being processed ahead of the weekend or bank holidays. This limits the chance of detection.
Telegraph Money disclosed the first cases of this fraud 12 months ago in May 2015.
Since then, the legal community has done little to protect homebuyers and sellers. Fresh cases continue to emerge, with this newspaper being aware of at least three six-figure losses arising since February.
The fraudsters typically gain access to the email accounts of either the victim or their solicitor. When legitimate emails are sent between these parties giving details of bank accounts into which money should be transferred, the fraudsters alter the details so the money is sent to their own accounts.
Leading experts in the fields of cyber-security now suggest the public should avoid email when giving or receiving payment instructions to solicitors.
Tony Neate, chief executive of Government-backed anti-fraud agency Get Safe Online, told Telegraph Money that when a family member recently purchased a property he insisted the payment instructions were made by telephone.
He said: “You don’t hear of fraud occurring because someone has overheard a phone conversation.”
Action Fraud, which works alongside the fraud squad, has also said people seeking to move large sums should check bank details by phone.
The organisation’s deputy head, Steve Proffitt, told Telegraph Money: “If you receive an email which tells you that a person or company’s bank details have changed, you must phone to verify it.”
“Preferably talk to the solicitor whose voice you recognise.”
Cyber-security at many legal firms is believed to be poor. Firms prefer email because it is quick and cheap, and regulators do not require emails to be encrypted.
John Marsden, identity and fraud expert at credit reference agency Equifax, said: “Your high street solicitor will be far less protected than your bank. Not only are their systems more insecure but they are less likely to send encrypted communications. Your details are not safe.”
Mr Doyle, 52, sold his home in Staffordshire in October 2015 after relocating to a new job as an aircraft engineer in Wiltshire.
By January this year he and his partner Susan Paul had found a home they wished to buy.
Mr Doyle and Ms Paul were asked to pay the last £204,390 to their conveyancer, Total Conveyancing Services, based in Chester, on Thursday March 24.
TCS told Mr Doyle he could not make the payment by phone because the sum was too large. Instead, TCS said it would email the bank account number and sort code.
But the email did not arrive. Only after a further phone call did it finally appear in the inbox. Apparently sent from a legitimate TCS addess, the email contained a PDF file in which the bank account number and sort code were detailed. It was not encrypted.
Mr Doyle instructed his bank to pay the money into this account.
The couple then enjoyed their Easter weekend, little knowing their money had been stolen and their lives were about to be derailed.
The truth emerged only the following Wednesday when TCS confirmed it did not have the money, and it became clear that the payment had been made to unrelated account operated by fraudsters.
The whereabouts of the money remain unknown and an investigation is ongoing. Mr Doyle’s bank, Lloyds, told Telegraph Money it was co-operating with the authorities.
According to a generic warning about the fraud, published by TCS on its own website, “usually none of the money is ever recovered” in such cases.
Picking back over events, it is likely a fraudster hacked into Mr Doyle’s email accounts and deleted the first, genuine email from TCS before he could read it.
The fraudster then replicated the email with different bank details and re-sent it from a “spoof” address, which mimicked the real TCS sender.
Mr Doyle said: “We are absolutely devastated. We’ve no money and no house.”
Ms Paul added: “I know that if it was me, I would put the house on the market again, as there is no guarantee we are going to see any of our money again.”
TCS denies any responsibility for the couple’s loss.
A spokesman insisted its systems had not been compromised.
TCS said that ordinarily it sends bank details by post. In this case, it said, Mr Doyle requested the details as soon as possible which is why it used email.
The week after the fraud was committed TCS added a disclaimer to its email communication including the words: “TCS will not accept responsibility if you transfer money into an incorrect account”.
How does conveyancing fraud work?
According to Action Fraud, cyber criminals can access home internet fairly easily if consumers do not change their password from its default setting.
Once the fraudsters hack into your wi-fi network, they can view all of your online activity and can easily see when you are sending emails containing payment instructions.
An Action Fraud spokesman said in some case, the criminals may install malware – a type of intrusive software. This will alert them to when their victims are discussing payment information and gives them a window to strike.
When malware is not installed, the scammers can simply browse your emails or search for key words.
Action Fraud said this type of fraud has been on the rise since last summer, peaking in December. Between November and January, 35 reports have been made resulting in a combined loss of £2,665,819.
How to protect yourself
At the very least, consumers must make sure they have a strong password and secure internet connection. However, there is no telling if you have been hacked so where possible, use alternative communication when dealing with transactions.
This could be by phone with a solicitor or conveyancer you know and trust. Do not make payments over the phone before verifying that the person on the other end is who they say they are. Better still, go into the office or branch and make the payment there.
If you have to receive bank details by email, Mr Marsden recommends phoning the company to check the information is correct.
He said: “Any point of risk should be recognised by the consumer and in these cases, the money involved should be seen as a huge risk.”
Finally, Mr Neate suggest whenever you need to make a large transaction, transfer a small amount first.
He said: “Send an initial payment of £1 to make sure the bank account is legitimate.
“Once you have checked the other party has received the transaction, you can transfer the rest of the balance.”