Kyanite Blue
Threat Intelligence

Conveyancing Fraud: How Email Interception Steals Completion Funds and What to Do About It

Every year, UK homebuyers lose millions of pounds to conveyancing fraud — and many solicitors' firms face devastating professional indemnity claims as a result. The attack is simple and devastatingly effective: criminals compromise the email communications between a solicitor and their client, monitor the correspondence until they know a property completion is imminent, then send a fraudulent email containing substitute bank details. The client transfers their life savings. The money is gone within hours. Action Fraud data shows conveyancing fraud as one of the largest sources of fraud loss in the UK.

Action Fraud data: conveyancing and property fraud costs victims over £100 million annually in the UK.

How Conveyancing Fraud Actually Works

The attack exploits the trusted email relationship between solicitor and client at the highest-stakes moment of a property transaction:

  • Step 1 — Compromise: The attacker gains access to either the solicitor's email account (via phishing or credential theft) or the client's email account
  • Step 2 — Monitor: The attacker reads correspondence silently for weeks, learning the timeline, the parties involved, and the expected transaction amounts
  • Step 3 — Intercept: Days or hours before completion, the attacker sends an email that appears to come from the solicitor, with fraudulent bank details
  • Step 4 — Transfer: The client transfers the completion funds to the fraudulent account
  • Step 5 — Disappear: The funds are moved through multiple accounts within hours, typically overseas, and become irrecoverable
  • The solicitor may not know their email was compromised for days or weeks

Why Law Firm Email Security Is the First Line of Defence

The entry point for most conveyancing fraud attacks is weak email security at the law firm. Common vulnerabilities include:

  • No multi-factor authentication on firm email accounts — a stolen password is sufficient for full access
  • No email authentication (SPF, DKIM, DMARC) — allowing attackers to send spoofed emails appearing to come from firm domains
  • Lack of email filtering to detect unusual login locations or forwarding rules created by attackers
  • Fee earners using personal email addresses for client communications
  • No client verification protocol for bank account change requests

The Process Controls That Stop It

Conveyancing fraud is stopped through a combination of technical controls and process disciplines:

  • Never send bank details by email: communicate account details by post initially, then verify by telephone before completion using a known number — not one in an email
  • Verbally verify any bank detail change: a policy that no bank account change is ever acted upon without a telephone verification call to a previously verified number
  • Implement DMARC: prevents criminals from spoofing your domain to send emails appearing to come from your firm
  • MFA on all email accounts: stops credential theft from enabling account access
  • Client education: warn every conveyancing client explicitly at the outset that you will never change bank details by email alone
  • Email gateway monitoring: detect unusual login locations, forwarding rules, and auto-replies that indicate account compromise

Coro and Email Security: Technical Controls for Conveyancing Practices

Coro's email security module provides the technical foundation for conveyancing fraud prevention: MFA enforcement across all accounts, DMARC/DKIM/SPF configuration, anomalous login detection, and suspicious forwarding rule alerts. When combined with firm-wide process protocols for bank detail verification, the attack has no viable entry point.

Frequently Asked Questions

Who is liable when conveyancing fraud occurs — the firm or the client?

Liability is contested and depends on the specific circumstances. The SRA requires firms to hold adequate professional indemnity insurance. Firms that cannot demonstrate they had adequate controls — including client warnings about the fraud and verification protocols — face both insurance claims and SRA regulatory action. The client will argue the firm's email was compromised and the firm should bear the loss.

Does professional indemnity insurance cover conveyancing fraud losses?

Standard SRA-minimum PII may cover conveyancing fraud losses, but not always. Many insurers are now adding exclusions or sub-limits for cyber-enabled fraud. Check your policy. Some firms are purchasing specific crime insurance to cover this exposure. Note that some cyber insurance policies explicitly cover fraudulent funds transfer.

Can we recover stolen conveyancing funds?

Recovery is rare but not impossible. Immediate action is critical: call your bank's fraud team immediately, contact Action Fraud (0300 123 2040), and ask your bank to invoke the faster payments recall process. Banks have a voluntary commitment to try to recover funds, but once money leaves the UK banking system, recovery is extremely unlikely. Speed matters enormously — the window is hours, not days.

Protect your conveyancing clients from email fraud

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Coro

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides