Solicitor to pay over £26,000 in fines and costs after failing to spot Friday afternoon fraud

A solicitor with decades of experience was fined by the Solicitors Disciplinary Tribunal (SDT) and ordered to pay £26,000 in fines and costs after being deceived into transferring more than £290,000 to a hacker in a targeted conveyancing cyberattack.

How did the fraud occur?

The solicitor was acting on behalf of a local company in a property sale. After the exchange of contracts, cybercriminals intercepted email communications between the solicitor and their client. The day before completion, the solicitor received an email from an address that closely resembled the client’s, requesting a change in bank details for the transfer of sale proceeds.

Initially, the solicitor responded correctly by requesting telephone confirmation. However, instead of following up with a phone call, they accepted a second email confirming the new account details and arranged to transfer the funds the following Monday. The fraud only came to light nearly two weeks later when the bank flagged concerns about the recipient account. By this point, the client had not received the funds, but they had also not raised any complaints. The solicitor reported the loss to their insurer but did not inform the Solicitors Regulation Authority (SRA) or the police for three months, by which time the funds had been replaced by insurers.

The SDT’s findings

The SDT found that the solicitor had breached their duty to protect client money and assets. The SRA emphasised that an experienced conveyancer should have identified the last-minute change in payment instructions as a red flag and taken further verification steps. Key failings identified by the SDT included:

Failure to insist on telephone or in-person confirmation before processing the transfer.
Proceeding with the full payment on the next business day despite the suspicious circumstances.
Delayed reporting of the incident, contrary to SRA guidance.

While there was no dishonesty or lack of integrity on the solicitor’s part, the SDT highlighted the expectation that solicitors must report fraud cases, even when stolen funds are replaced. The solicitor was fined £10,000 and ordered to pay costs of £16,000.

Failure to prevent fraud

The new “failure to prevent fraud” offence, introduced under the Economic Crime and Corporate Transparency Act 2023, is effective from 1 September 2025. The new offence holds businesses accountable when individuals associated with their organisation commit fraud to benefit the company, whether directly or indirectly. While a defence exists if businesses can demonstrate “reasonable procedures” to prevent fraud, the guidance emphasises the significant steps companies must take to prepare for this landmark legislation.

How to prevent conveyancing cyber fraud

This case underscores the growing threat of ‘Friday-afternoon fraud’ — a type of cyberattack targeting property transactions, particularly during busy periods. The SRA reports that email modification fraud accounts for 68% of cyber fraud cases in the legal sector. To mitigate these risks, solicitors and compliance teams should implement the following safeguards:

1. Train staff to detect fraudulent emails

Encourage staff to ask:

Was this email expected?
Does it change payment instructions?
Why are bank details being provided in this way?
Is the sender’s email address genuine?
Are there hidden details, such as embedded links or similar-looking email addresses?

2. Raise awareness with clients

Educate clients about cyber fraud risks and your firm’s security protocols:

Inform clients that your firm will never change bank details via email.
Encourage them to verify any unexpected payment requests.
Empower staff to challenge suspicious requests, even under pressure.

3. Verify contact details

Ensure proper verification steps before processing payments:

Always call the client to confirm new bank details, using a trusted phone number.
Avoid relying on phone numbers provided in suspect emails.
Preferably confirm bank details in person or at the start of a transaction.

4. Know your reporting obligations

If a fraudulent transaction occurs, it must be reported promptly to:

Your bank
The National Fraud and Cyber Crime Reporting Centre (0300 123 2040)
Your professional indemnity insurer
The SRA (0121 329 6827 or [email protected])

How VinciWorks can help

Our new course, Understanding Fraud: Identify and Prevent Workplace Fraud, introduces all aspects of fraud from when, how and why it occurs, to ways in which you can detect, prevent and report fraud. We also offer a variety of other fraud prevention courses such as Fraud prevention for law firms, Fraud: Failure to prevent, and more.

We also offer courses and compliance solutions in cybersecurity and SRA compliance.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

CLOSE