Paul and Ann Lupton sold the flat they had bought for their daughter for £340,000. Two days before the set completion date, Mr Lupton’s solicitor emailed requesting his bank account details for the sale proceeds to be paid into.
Mr Lupton duly replied, sending his Barclays bank account number and sort code.
The email was intercepted by cyber criminals, using extremely sophisticated technology that examines millions of emails to identify patterns of data that could contain valuable information.
Posing as Mr Lupton, the cyber criminal emailed the Luptons’ solicitor again – from the same email account – and told the firm to disregard the previous details and send the money to the fraudulent account instead.
The solicitor sent the funds intended for the Luptons, worth just over £333,000 after fees and charges, to the fraudulent bank account. A few days later, Mr Lupton called the solicitors to chase the payment and the crime was discovered. Both parties contacted Barclays and the police.
Firms have a responsibility to look after their clients’ money. However, do they have the necessary facilities to do so in a situation such as this? Would email encryption or the use of fax for confidential and sensitive information be a policy firms should adhere to for all future scenarios of this nature?
Government security service Get Safe Online, which offers advice on protecting against fraud, said the Luptons’ case was a stark reminder of how sophisticated cyber criminals had become.
Tony Neate, head of Get Safe Online, said: “In this case, the user would have had no idea that their emails had even been intercepted by a criminal or that the money had been fraudulently hijacked. It goes to show the importance of protecting online accounts in as many ways as possible.
“Your first line of defence for your email account is a strong password that is different to other online accounts and is changed regularly. Protecting your devices with security software and regularly installing updates will also help.”
The Solicitors Regulation Authority said member firms were responsible for safeguarding client funds and must replace any money that was “improperly withheld or withdrawn from a client account”.
Barclays was the account provider for all three involved: the solicitors, the fraudsters and the Luptons. The account was frozen and £271,000 was returned to the Luptons, still leaving them £62,000 out of pocket.
The firm in this case denied they were at fault due to the sophistication of the fraud, but after 8 months their PI insurer paid out and reimbursed the Luptons.