Law Firm Loses £600K In Conveyancing Scam
Fraudsters deceived Woodfords Solicitors by using a phony email to trick them into sending more than £600,000 from the proceeds of a client’s house sale to their bank account.
Fraudsters deceived Woodfords Solicitors by using a phony email to trick them into sending more than £600,000 from the proceeds of a client’s house sale to their bank account.
Nicola McConnell, 70, who is a retired educational psychologist was scammed out of £613,000 after selling her five-bedroom in Fulham, London, for £1.9 million.
The fraudsters had set up an email account which was only different by one letter to Mrs McConnell’s email address in order to request the money from her solicitors.
In reaction to her solicitors being defrauded and the thought that she may never see her money again, Mrs McConnell was “traumatised to the point of being suicidal.”
She further added: “My sleep, memory, and confidence have been hugely damaged. What to some is a victimless crime, since it was against a company and apparently covered partially by insurance, is to me highly personal.”
Giuseppe Olivia, 41, who stole the money by pretending to be the client was apprehended by the police, but by the time they had caught him, most of the money had been dispersed into many other accounts – with only £150,000 being recovered and the rest being reimbursed by the duped solicitors.
Based in Milton Keynes, Olivia, was found guilty last month of converting criminal property and sentenced to five years in prison and banned from being a company director for eight years.
Mrs McConnell and her husband Brian, 74, never bothered using online banking and always kept all their personal information off the internet. To be cautious, she even went so far as posting a handwritten note to her solicitors enclosing instructions of where to send the proceeds of sale so her bank details were not online.
However, on the morning that contracts were exchanged in February 2017, a badly written email was sent to Woodfords Solicitors from a bogus email address saying: “After Due consideration, I want Half of the proceeds paid into my account you have on file and the other half directly into my fixed savings account details below… Please reply me now so I know you have received this instruction.”
Enclosed in the email was details of a metro bank account and Mrs McConnell’s name which was misspelt.
After receiving the email, Woodfords Solicitors phoned their client to confirm what was contained in the email was genuine and her instructions. At the time of the call, Mrs McConnell was busy packing her belongings and could not remember her sort code and account details but did have a Metro bank account. Woodfords Solicitors continued to go ahead and transfer £613,051.74 to the account.
The money was traced by the police to a business owned by Olivia called Eco Voice, but unfortunately, just over £533,000 had been transferred to numerous accounts by Olivia and a few overseas businesses.
Alarm bells rang at Metro Bank as they attempted to stop the account and quizzed Olivia to verify he was the correct recipient for the money. A fake invoice, which had no VAT address, was presented to the bank by Olivia, which claimed that more than £600,000 of computer equipment had been ordered by Woodfords Solicitors.
When finding Olivia guilty, the prosecution said the paperwork was a dishonest creation “put forward to support a lie.” He knew “full well” that Mrs McConnell’s money was “criminal property, her money gained by fraud”
A spokesperson at Metro Bank said: “We continue to work closely with the wider industry and law enforcement agencies to protect customers from these crimes.”
This case highlights that even the most cautious people may be vulnerable to risk and shows the importance of firms to fully verify emails purportedly from their clients and to implement robust measures to mitigate email fraud.
Tom Lyes, Key Relationship Manager from Lawyer Checker comments on the conveyancing scam case. He said:
“This case is a prime example as to why cyber criminals will continue to target conveyancing. This was not a sophisticated fraud, it was a fraud that succeeded because the firm failed to have robust enough processes and an individual made a huge mistake.
“Using Lawyer Checker’s Consumer Bank Account Checker would have protected the firm and showed them that the account they were sending to did not in fact belong to the client in question creating a major red flag.
“Most worryingly though, the criminal now imprisoned does not seem to be the person at the top of the tree in terms of the criminal hierarchy. This backs up The Financial Conduct Authority who believe there are at least 1400 organised criminal gangs attempting to steal mortgage funds at any given time. This is not a man in his bedroom stealing money, this is clearly organised crime of a very serious nature.
Last month, during a presentation about cyber crime at the LegalEx Conference, the Solicitors Regulation Authority highlighted that the vast majority of cyber attacks reported to them involve email compromise – and everybody is now 20 times more likely to be a victim of cyber crime than a victim of in-person crime.
Guidance to law firms from the NCSC suggests that there is no single solution to email security and that firms should take a multi-layer approach to protecting emails. If one layer of defence is breached, there are additional layers of security that still offer protection.
These layers include implementation of the DMARC protocol on your domain. This stops a cyber criminal from using your own domain to send a perfectly legitimate looking email to one of your staff pretending to be a senior member of the firm.
Additionally, email screening tools are available, which help to highlight to your users red flags and warning signals often found in Phishing emails.
Beneath all the technological defence layers against phishing should be a comprehensive staff training program. According to a recent government report – Cyber Security Breaches Report 2019 – only 27% of UK businesses are actively training their staff to avoid data breaches by spotting the warning signs and obvious red flags.