UK: Solicitor fined for failing to spot cyber fraud

A British solicitor with decades of experience agreed to pay £26,000 in fines and costs after admitting being duped into transferring more than £290,000 to a hacker.

Acting for a local company on a property sale, exchange took place with completion scheduled for four weeks later.

Between exchange and completion, the email traffic between solicitor and client was intercepted in a targeted cybersecurity attack.

The day before completion, the solicitor received an email from a slightly different email address asking that the sale proceeds be transferred to a different bank account.

The solicitor, quite properly, responded that they would need telephone confirmation from the client of the changed instructions.

Instead, a further email was received, reconfirming the amended account details. The solicitor agreed to send the funds the following Monday.

The situation only came to light when the bank notified the solicitor nearly two weeks later that it had concerns about the recipient account.

The client had not complained or raised any other issues but confirmed that no funds had been received.

The Solicitors Disciplinary Tribunal (SDT) noted that, despite the bank raising suspicions, the solicitor only reported the loss to their insurers.

The solicitor said that as the client was “quite relaxed”, they did not report the matter to the Solicitors Regulation Authority (SRA) or the police for three months, by which time the funds had been replaced by insurers.

The SDT’s findings

Although the case included other allegations regarding the solicitors’ accounts systems, the SRA placed particular emphasis on the fact there was a clear breach of the duty to protect client money and assets.

Given the client had not been pressing for payment, the SRA suggested the solicitor had plenty of time to get confirmation of the changed bank details by phone or in person.

As an experienced conveyancer, the last-minute change in instructions was a red flag the solicitor shouldn’t have missed.

It was neither necessary nor prudent to send the full funds to the new account on the next business day.

In approving an outcome agreed between the SRA and the solicitor, the SDT found that the solicitor should have known the circumstances were suspicious and worthy of proper investigation to prevent fraud.

The SDT found the failure to insist on additional verification measures particularly troubling “given the critical importance of such steps to counter fraud and attempted criminality”.

Although there was no question of dishonesty or lack of integrity on the solicitor’s part, guidance published by the SRA makes clear that there is an expectation that solicitors report such cases, even where fraudulently obtained or stolen money has been replaced.

The solicitor was fined £10,000 and ordered to pay costs of £16,000.