Conveyancing Fraud Prevention: A Step-by-Step Guide for UK Solicitors

Client Onboarding: Prevention Starts at First Contact

The most effective conveyancing fraud prevention happens before the transaction is underway:

• Provide every conveyancing client with a written statement at first instruction: "We will never change our bank details during a transaction. If you receive an email claiming our bank details have changed, call us immediately on [known number] before transferring any money."
• Verify client contact details by telephone at the outset — not just by email — so you have a confirmed number for verification calls
• Explain the fraud specifically and personally — not buried in terms of engagement
• Provide your firm's verified bank details by post at the outset if possible, not by email
• Make clear that any change to payment instructions will always be verified by telephone using a number you already have

Operational Process Controls During the Transaction

During the transaction period, firm-wide procedures must be followed consistently:

• Never send completion bank details for the first time by email alone — send by post and confirm verbally
• Any client request to change payment details must be verified by telephone call to a pre-verified number — never a number in the email
• Implement a "two-person rule" for any bank account change: two fee earners must independently verify before any change is made
• Log and record all bank detail communications and verification calls
• Train all conveyancing staff on the specific verification protocol — no exceptions, no matter how pressured the completion timeline is
• At exchange and approaching completion, send a reminder to the client: "Beware of emails claiming to change bank details"

Technical Controls That Close the Technical Attack Surface

Process controls are supported by technical controls that make email compromise harder:

• MFA on all fee earner email accounts — makes account compromise significantly harder
• DMARC at enforcement policy — prevents criminals from spoofing your domain to clients
• Email gateway monitoring for anomalous activity — new forwarding rules, unusual login locations
• Secure document sharing for completion documents — avoid sending critical documents as email attachments
• Consider a dedicated secure messaging channel for completion-stage communications
• Verify client email addresses through a second channel before sending any completion documents

What to Do If Fraud Is Suspected or Has Occurred

If you suspect fraud has occurred or is in progress:

• Immediately contact your bank's fraud team — do not wait to investigate — to attempt a faster payments recall
• Call the client on a verified number (not from the suspicious email) to alert them
• Report to Action Fraud (0300 123 2040) immediately — a reference number supports any recovery attempt
• Contact your professional indemnity insurer immediately — do not delay notification
• Notify your managing partner and COLP/COFA
• Do not attempt to investigate the breach yourself — preserve all email logs and contact your IT security provider or managed security service
• Assess whether ICO notification is required (likely, if the victim's personal and financial data was accessed)
• Assess whether SRA notification is required (likely, if client money is at risk or has been lost)

Frequently Asked Questions