Fraud and security image


What you should know

Never send funds to a new account without ringing our office and speaking to the relevant person first (our client account details will never change).

Always query e-mails supposedly received from your solicitor, but which are actually from a different email address, particularly if the domain name ( is different.

If the domain name is the same but the format, style, content or language used is suspicious please contact this office immediately.

Disclaimer: We will not be responsible if you transfer money to a bank account that is not this firm’s client account.

Check your anti virus software and fire walls are up to date and operating.

Regularly change your password. Do not give our your password or other personal information to third parties.

For us, we will always ask you to provide a bank statement to confirm the account details when we need to send you money; we will often ophone to double check.

What follows is a real life example of why we do this and an example of how things went wrong for one particular firm and its client 

A law firm which was duped into paying away the £333,532 proceeds of a property sale after failing to confirm a client’s email changing their bank details – which turned out to be faked – has been rebuked by the Solicitors Regulation Authority (SRA).

Surrey firm (lets call them XY&Z) was able to recover all but £48,503 of it afterwards, with the balance made up by its professional indemnity insurer.

A regulatory settlement agreement published yesterday by the SRA recorded that the firm acted for a married couple, Mr and Mrs L, on the sale of a property.

Two days before completion, it emailed Mr L, asking him to provide his bank account details, which he did by return.

Later that day, XY&Z received a further email purportedly from Mr L. This asked the firm to ignore the previous bank details. The following day another email provided new details. The firm replied asking the sender to confirm the name of the bank and the account holder; they replied that the account was in the name of Mr L and was held with Barclays Bank.

The firm transferred the proceeds the following day, having not contacted Mr L by any alternative means of communication to check the instructions.

It emerged soon after that Mr L’s email account had been compromised and the money had been paid into a third party’s bank account.

The firm reported it to the police, the bank and its insurers, but not the SRA, although it recorded the incident in its register of breaches.

XY&Z was able to recover two tranches of money – £271,201 two weeks after completion, and a further £13,827 two months later. Its insurer replaced the outstanding money nine months after the loss.

As part of the agreement, the firm admitted breaches of the SRA principles and the accounts rules, including the failure to report the matter to the SRA.

In mitigation, XY&Z said it has since taken steps designed to reduce the risk of repetition. “This included a review of its procedures and the engagement of third parties to provide training to its staff and assess the security of its IT systems.”

The agreement said: “The SRA considers this outcome to be proportionate and in the public interest. The outcome recognizes the loss and inconvenience to Mr and Mrs L caused by the conduct of the firm.”

XY&Z also agreed to pay the SRA costs of £1,350.

The above is intended for information purposes only and shall not be deemed to, or constitute legal advice. Turners Solicitors LLP cannot accept responsibility for any loss arising as a result of acts or omissions taken in respect thereof.