Kyanite Blue
Sector Guides

Cybersecurity for Conveyancing Solicitors: Preventing Completion Fraud and Protecting Client Funds

Conveyancing solicitors handle more high-value, time-pressured transactions than almost any other legal practice area — and criminals know it. The combination of predictable large payments, time pressure that overrides verification instincts, and email-centric communication makes conveyancing the highest-risk legal sector for cybercrime. UK Finance estimates that fraud losses in property transactions exceed £100 million annually in the UK. Most of those losses were preventable with controls that conveyancing firms can implement today.

UK Finance estimates property transaction fraud exceeds £100 million annually — conveyancing is the highest-risk legal practice area for cybercrime.

The Specific Threat Landscape for Conveyancing Firms

Conveyancing practices face a threat landscape distinct from other legal sectors:

  • Completion fund fraud: attackers intercept email communications and redirect completion funds by impersonating the firm or the other side's solicitor
  • Client identity fraud: fraudsters pose as vendors to divert proceeds, or as buyers to obtain mortgage funds
  • Land Registry fraud: attackers targeting properties owned by overseas landlords or unmortgaged properties
  • Mandate fraud: attackers impersonate suppliers — search providers, surveyors — to redirect payment for services
  • Account takeover: phishing or credential theft against fee earner email accounts to monitor transactions and intervene at the right moment

Process Controls Every Conveyancing Firm Must Have

The process controls that prevent conveyancing fraud are straightforward and must be implemented without exception:

  • Written bank detail warning at first instruction: tell every client in writing that you will never change bank details by email
  • Verified callback before any payment: call clients on a pre-established, verified number before sending funds — never use a number provided in email
  • Four-eyes authorisation on all completions: no single fee earner can authorise a completion transfer
  • Bank detail change freeze: any request to change bank details triggers a mandatory verification process and a waiting period
  • Client care letter clause: include specific language about fraud risks and verification procedures in every client care letter

Technical Controls for Conveyancing Practices

Process controls must be supported by technical defences:

  • DMARC enforcement: prevents attackers from spoofing your firm's domain in emails to clients and other solicitors
  • Email filtering: modern gateways detect lookalike domains used in impersonation attacks
  • MFA on all accounts: prevents credential theft from providing full email account access
  • Coro email security: provides AI-powered detection of Business Email Compromise patterns specific to the legal sector
  • Secure client portal: replacing email with a secure portal for sharing sensitive documents and bank details eliminates the email interception vector entirely

SRA and Indemnity Implications

Where completion funds are lost to fraud, conveyancing firms face multiple regulatory and financial exposures. The SRA will investigate whether the firm had adequate systems and controls to prevent the fraud. Professional indemnity insurers will examine the same question — and may dispute coverage where basic controls such as verified callback procedures were not in place. Firms with documented, implemented controls are in a far stronger position both regulatorily and with their insurers.

Frequently Asked Questions

What is the most effective single control to prevent conveyancing fraud?

The verified telephone callback procedure — calling the client on a pre-established number before sending completion funds. This single process control, consistently applied, prevents the majority of completion fund fraud. It works because the attack relies on the firm trusting an email instruction; a call to a pre-verified number that cannot be spoofed breaks the attack chain.

Are we liable if a client loses money to conveyancing fraud?

If the fraud resulted from a compromise of the firm's own email systems, the firm is almost certainly liable. If the fraud targeted the client directly (client's email was compromised), liability is more complex but the SRA will still examine whether the firm's controls — particularly DMARC and client warning procedures — were adequate. Professional indemnity insurance typically covers these claims.

Should we move away from email for sharing bank details?

Yes, where possible. A secure client portal that provides bank details only after multi-factor authentication eliminates the email interception vector entirely. Several practice management systems offer this functionality. Where a portal is not in place, consider providing bank details by post at the outset and making clear they will never change.

Protect your conveyancing practice from fraud — speak to us

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Coro

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides