Legal sector encryption failure gifts large payout to cyber criminals

A recent account published in the Telegraph newspaper, reported the alarming story of a London couple who inadvertently became the victims of a cruel cyber attack.  Completion funds on the sale of their property were intercepted by cyber criminals and the couple lost all proceeds, totalling £333,000.

The law firm handling the conveyancing, Perry Hay & Co in Surrey, had emailed owner Paul Lupton, requesting his bank account details for the proceeds of sale to be paid into upon completion.  Mr Lupton duly replied, giving both account and sort code.  The fraudsters, using ‘xray’ technology which identifies data patterns with financial information, intercepted this email and replied to the law firm, requesting the previous email be ignored and funds be transferred to a different account, theirs.

On discovery that the monies had not transferred, the owner alerted the bank (Barclays) and the police.   The account was frozen and £271,000 was returned.

With conveyancing a lucrative target for cyber criminals, law firms have to take responsibility for their clients money and use encrypted emails, requiring passwords, for confidential or financially sensitive information.

For email users, account numbers, sort codes, passwords and Pins should never be transmitted by email or be written down.  Online passwords should be strong (involving numbers and characters) and changed regularly.  Devices should also be protected with security software including regularly update installations to help defend accounts.

This is little comfort for the Luptons who are currently still out of pocket to the tune of £62,000 after Perry Hay & Co (and Barclays) rejected responsibility, despite legal watchdog, the Solicitors Regulation Authority (SRA) asserting that member firms were responsible for safeguarding client funds and must replace any monies “improperly withheld or withdrawn from a client account”.

email-file-encryption