With the amount of “vishing” scams hitting the news, and consumer websites ever increasing, the fraudsters have added a new weapon to their attack, which the National Fraud Intelligence Bureau is calling “invoice hijacking”.
This scam involves the fraudsters intercepting correspondence between two parties who have an existing contractual relationship, and “invoicing” the target for services that have actually been rendered. Solicitors are a particular target for this scam, due to the large amount of client money which is held on account.
One particularly sophisticated example we have seen of this recently involved a conveyancing transaction. A deposit for a property was being paid in tranches, which the solicitor was holding on account for the client. The client received an email purporting to be from his solicitor, asking that the funds be transferred to a separate account, due to a limit being reached. The fraudster provided details of a new account, to which the client sent the remaining deposit. The email account the fraudster had set up was similar enough to fool the client, but was not from his solicitor. As the original email had been from the fraudster to the client, either the client or the solicitor’s email account must have been hacked, with each party suggesting the fault must lie with the other.
In this case, the client had enough private funds to cover the sum stolen, allowing the transaction to complete; however, it remains to be proven where any liability may lie. If the client had not been able to complete, there could have been losses down a whole conveyancing chain, increasing the stakes considerably.
To reduce the likelihood of your firm becoming involved in this type of fraud, you should:
- keep your firm’s anti-virus software up to date
- inform your clients to never send funds to a new account without ringing the office and speaking to the relevant person first
- tell your clients that they should always query emails supposedly received from their solicitor, but which are actually from a different email address, particularly if the domain name is different.
Finally, if you are a victim of fraud you must immediately contact:
- your bank
- the police
- your brokers/insurers
- your regulator.
Taking immediate action may help to reduce the scale of this fraud.