Criminals are after your clients’ money – will you give it to them?

Posted by Gemma Sirett on November 18, 2019

The scale of financial transactions makes the legal sector an enticingly lucrative prospect for those with less-than-legal intentions. As law firms’ reputations are built on trust and security, keeping these payments safe is vital to staying in business.

The Law Society reported that “criminals hacking into a firm’s email server to intercept and send false emails to clients, usually to change bank details, is the biggest threat to law firms”1. Payment diversion fraud is on the rise, and isn’t easy to spot – a convincing-looking email purportedly from someone you’re expecting a payment from, or about to make a payment to, can mislead you into actioning the fraudulent request without a second thought.

Email is the key route in for payment diversion fraud – misspellings of a law firm’s domain name and business email compromise both enable threat actors to reroute payments to their own accounts. A quick internet search revealed that the legal sector is making this easy for attackers. 100% of the law firm websites we checked listed names and email contact details for their directors, partners, and support staff, with 80% providing a detailed career background and a link to each person’s LinkedIn profile. 100% of these firms also revealed their clients to the public – 60% openly listed names and logos, and 40% identified theirs through named client testimonials.

This seemingly innocuous information sharing makes a cyber criminal’s job almost too easy. It’s a trivial task for adversaries to check a partner’s LinkedIn profile against the law firm’s list of clients to see who they’re connected to at any given client. All the adversary needs to do then is use the information displayed on the firm’s website to spoof a believable representation of the partner’s email address, and get in touch with the known client contact, requesting funds to be diverted to alternative bank details.

Threat to conveyancing firms

The financial aspect of buying a property means conveyancing firms will always be at an increased risk of cyber attack. Huge sums of money are transferred, with communications happening almost exclusively via email, making them vulnerable to interception by opportunistic cyber criminals. Buying a property is a turbulent time for clients, and they put their complete trust in the firm handling their transactions.

Threat actors gain access to these transactions by a hijacked inbox or spoofed email address, and use social engineering tactics to divert payments to and from the conveyancing firm. If an individual is transferring funds to a conveyancer, the threat actor can spoof an email to the individual, claiming to be the conveyancer, requesting the funds due are paid to alternative account details.

“Of the 7,544 malicious redirection scams completed [in 2018], over 9,000 payments were made with an average individual loss of £20,750" 2

As the process of buying a property follows a formulaic pattern, it’s not difficult for cyber criminals to identify when money is about to change hands. The Solicitors Regulation Authority noted that “when used to steal conveyancing money, [email modification fraud] is also known as 'Friday afternoon fraud', as many of these transactions take place on Friday afternoons”3.

Make your clients aware from the outset what your bank details are and that they will not change. We’ve seen this approach implemented successfully first-hand, where the conveyancing firm notified the home buyer of their bank details in the welcome pack. Each time a payment was due, the firm asked the buyer to refer to their welcome pack for the account details, rather than sending them again. This ensures only one set of bank details is ever given to the client, and only once, along with clear advice that no other details are to be trusted, therefore reducing the risk of payments being sent to the wrong account.

Targeting big business

It’s not just conveyancers who need to be wary of payment diversion fraud. Business transactions made through a legal firm are tempting prey for more targeted cyber criminals, rather than optimistic opportunists.

Law firms are a much easier target to compromise than the FTSE 100 companies they represent, and taking instruction and transaction details via email is the norm. Threat actors observe the transaction process throughout the supply chain, so they can determine when money is about to move and tailor their attack accordingly. State-sponsored attacks are a daily occurrence against big businesses, meaning the threat level could be significantly higher than the law firms that represent them first realise. Can you guarantee to protect your clients’ business transactions from some of the most powerful people in the world?

How are transactions intercepted?

Earlier this year, global law firm Linklaters reported that its name had been subtly misspelled by cyber criminals to create a number of different email addresses. Spoofed versions of the firm’s genuine domain ( included,, and the marginally more obvious The Telegraph reported that “the criminals asked for payment to a new bank account”4, but Linklaters was quick to alert its clients to the fraud, confirming its bank details had not changed. Luckily, Linklaters spotted the scam before damage could be done, but a spoofed email address isn’t the only weapon in an attacker’s arsenal.

Cyber criminals who manage to gain access to an inbox can also set up a forwarding rule, using key words relating to financial transactions. If an email arrives in the compromised mailbox containing the word ‘invoice’, for example, that email would be automatically forwarded to the attackers, allowing them to infiltrate the email exchange and redirect payments to their own accounts. Unlike a spoofed email address, this form of attack is incredibly difficult to spot – your law firm needs to be actively hunting for indicators of compromise and suspicious account activity.

According to the Solicitors Regulation Authority (SRA), £11m of client money was stolen as a result of cyber crime in 2016/175. It’s not always clear who is at fault if payment diversion fraud is successful, and some cyber insurance policies do not cover law firms against losses as a result of malicious activity. Check your cyber insurance policy to make sure your firm is covered in the event of malicious payment diversion fraud. You need to be confident in your law firm’s ability to keep clients’ money safe, and provide reassurance to them that they won’t lose out if the law firm is breached. If you’re not covered, speak to your insurance provider.

Find out more about how CORVID can benefit the legal sector.

  1. The three biggest cyber threats facing law firms
  2. Sophisticated Law Firm Email Domain Impersonation Fraud Concerning
  3. Information and cyber security
  4. Fraudsters try to cash in on the good name of British legal companies
  5. Public and law firm money at risk as regulator reports cyber theft at peak levels
  6. New research shows 84% of UK law firms still vulnerable to email fraud – cyber attacks remain the biggest threat to a £26 billion industry