Insight: The Impact of Email Modification Fraud

This blog will demonstrate the impact email modification fraud can have on a law firm or their clients.

In this blog we want to highlight the impact email modification fraud can have on a law firm and a client.

You may have seen in the news recently the story of Mr Dudeja and his wife and how fraudsters made off with thousands of pounds of his hard earned cash. If not we've summarised it below.

Thousands have been stolen from a client due to a scam which hacked a law firm’s email system, and no refunds are being given.

In March, Nikhil Dudeja and his wife Richa were about to buy their dream home with a £45,000 deposit that they had been saving for. Whilst on holiday, Nikhil received an email from his solicitor asking for the money to be paid, which he then sent through his Lloyds banking app. However, this email was actually from a fraudster who had hacked into the solicitor’s email system, telling Nikhil where to send the money. The £45,000 deposit then went to a fraudulent HSBC business account in North London.

Lloyds have refused to refund the couple, as they say he didn’t take sufficient care when making the transfer. HSBC have also denied any liability. But Nikhil says that HSBC should have spotted that the account was fraudulent, as it was opened online with company details that the police said do not exist.

The estate agent dealing with the purchase has admitted they were hacked, yet Nikhil says that the companies involved are refusing to help him. Conveyancing scams like this one appear to be on the rise, as scammer’s techniques are becoming more sophisticated. A lack of cyber security could be a key reason a to why many firms are falling victim to these cyber attacks.

The couple are just the latest people to fall victim to a conveyancing attack. In April, Nicola McConnell, a retired educational psychologist, was scammed out of £613,000 after selling her five-bedroom home in London for £1.9m. In this case, the fraudsters deceived Woodford Solicitors by using a phoney email to trick them into sending the money from the proceeds of the client’s house sale, to their bank account. It seems that these attacks are on the rise.

Nikhil has said:

“This whole experience has been devastating. The email I received came from the exact same address as used by our solicitor. The bank details were provided on a solicitor’s company letterhead along with the signature of the solicitor dealing with our case. I was expecting to make the payment and just did so. It was the perfect scam.”

This is unfortunately an all too familiar case. It’s devastating for the client and everyone involved. The case highlights two key areas that law firms need to make sure that they address in order to protect their clients and themselves from email modification fraud.

The simpler out of the two issues to make progress on is to implement the DMARC protocol so that a criminal can not impersonate the firms email address. On this occasion the criminal has sent an email purporting to be from the lawyer using their exact email address. Too many firms are leaving themselves exposed to the criminal exploiting this gap. Criminals can publicly see whether a firm has this layer of protection in place.

The second issue that needs addressing is how we as a sector educate clients on what the process is when it comes to paying deposit funds. It is simply not enough to use headers and footers in emails to convey this message. This should be included in client letters and be addressed on initial client care calls. I strongly believe education to clients is a huge part of protecting yourselves from this threat. This education needs to be embedded into cultures.