Ben Zurawel secures 6 figure settlement for victim of fraudulent bank details email scam
"Mr G" had instructed his usual local conveyancing solicitors, "H & Co" in relation to the sale of his late mother's house. A few days before completion (in early 2015), H & Co received an email from Mr G providing details of a new bank account at a different high street bank, to which H & Co were to transfer the proceeds of sale. H & Co replied, confirming the arrangement, and a few days later duly made an electronic transfer of the monies to the requested account.
Mr G, however, did not receive the funds. He had not sent the email. H & Co contacted the destination bank to find that the bulk of the monies had immediately been withdrawn by an unknown third party. It was suggested that Mr G had been the victim of fraud. However, Ben Zurawel and Laura Cavill of DLG Legal Services, acting for Mr G, were ultimately able to persuade H & Co's insurers that in reality H & Co had been the victim of fraud whereas Mr G had been a victim of H & Co's negligence.
This was an example of an increasingly prevalent form of fraud, typically targeting property conveyancing transactions. An unknown third party had opened a new bank account using fake details and then hacked the email accounts of both Mr G and H & Co so as to cause an email purportedly from Mr G to be sent to H & Co, stating that instead of using his account with "X" (the bank with whom Mr G did indeed have an account), he wished the proceeds of sale to be sent to the account opened by the third party at "Y" bank.
H & Co replied to Mr G, confirming where funds would be sent. This might have been enough for the scam to come to light, but that email itself was then intercepted by the hacker and the reference in an attached Word document to "Y" bank changed back to "X" bank, such that Mr G was under the impression that H & Co had simply confirmed that the monies would be sent to his normal bank account, the details of which H & Co held having acted for Mr G in previous conveyancing transactions.
The difficulty facing Mr G was that as far H & Co were concerned they had acted upon their client's instructions, which they had confirmed with their client; as far as the police and the destination bank were concerned, it was H & Co, and not Mr G, that was the victim of the fraud – making it difficult for Mr G to obtain either information or adequate redress.
In the first place, Ben argued that the Solicitors Accounts Rules 2011 made H & Co strictly liable to account to Mr G for the missing money; alternatively that by acting upon the purported email from Mr G, H & Co had acted negligently and in breach of its retainer. H & Co ought to have been suspicious about the particular email in question (for example because it was unsolicited and not written in Mr G’s usual style); and in general it ought to have procedures in place that precluded relying upon bank details received by email (for example, it ought to have rung Mr G to confirm the arrangement).
After many anxious months for Mr G, H & Co's indemnity insurers were persuaded that it was H & Co that was responsible for this scam succeeding, leading to a substantial settlement.
This was just one example of an increasingly common kind of fraud, which newspapers have been reporting for over a year - see for example: http://www.telegraph.co.uk/money/consumer-affairs/property-sellers-warned-not-to-email-solicitors-we-lost-204000/. Likewise, the Solicitors Regulatory Authority has for over a year been warning firms of the risk of such scams – see: http://www.lawgazette.co.uk/news/sra-warns-of-friday-afternoon-fraud-risk/5047315.fullarticle.
Firms of solicitors ought to have robust procedures in place to guard against such attacks: for example, checking bank account details against ‘Know your client’ / money-laundering information already held and only accepting notification of changes over the telephone after security questions have successfully been answered or by signed mandate accompanied by appropriate documentation.
Firms should establish robust and secure means of communicating with their clients - for example protecting any documents attached to emails containing sensitive information with passwords. And firms should be on the look-out for tell-tale signs of fraud in relation to particular emails: for example, is the message unsolicited? Does it contain spelling or grammar mistakes that are uncharacteristic of the client? Is the message sent on the eve of a transaction? Does it refer only to other details that could have been obtained from previous emails?
In general, both firms and their clients must remember that email is a fundamentally insecure means of communication, that may have been sent by someone other than the purported author, that may be read by someone other than the intended recipient and that may contain attachments vulnerable to manipulation.
Further advice can be found here: http://www.actionfraud.police.uk/
Ben Zurawel was instructed by DLG Legal Services on behalf of the claimant, Mr G.