Slow response to a scam: avoiding a complaint to the Legal Ombudsman
Criminals are becoming ever more sophisticated at targeting law firms and clients online.
Often, these schemes involve emails being sent to a client purporting to be from their solicitor or firm.
In several cases, hundreds of thousands of pounds have been stolen.
A recent complaint determined by LeO serves as a warning to firms that fail to act in a timely way and do not have appropriate policies and safeguards in place to mitigate risks.
The case
Mr C was in the process of purchasing a property and had instructed a law firm.
Unbeknown to him, his email account was hacked by criminals who intercepted the emails between him and his solicitors.
The fraudsters sent a spoofed email purporting to be from Mr C’s solicitors providing alternative account details to the fraudster’s bank account.
Mr C transferred the deposit monies to this account in the belief that he was sending the money to his solicitors.
After transferring the money, Mr C emailed the firm asking them to confirm receipt.
Unfortunately, the firm did not check its accounts immediately to see whether it had received the money.
When the firm checked a week later, it became clear that a scam had been committed. Mr C was advised to contact his bank immediately. The bank was able to recover only a portion of Mr C's money from the fraudster’s bank.
However, due to the time that had passed, the rest of the money had already been removed from the fraudulent account.
The bank stated that if Mr C had contacted them sooner, it would have been able to recover more of his money.
During LeO’s investigation, it was discovered that the solicitor dealing with Mr C's house purchase primarily worked from home from her own device.
The firm did not have any policies in place for homeworkers and how they should safeguard information. No checks were carried out on the solicitor’s systems to ensure they were secure.
Mr C also received no warnings about the risks of cybercrime.
The LeO finding
LeO determined that the firm’s IT systems had been infiltrated by the fraudsters and it had insufficient security systems and policies in place to mitigate risks to clients.
Had the firm not delayed in checking receipt of Mr C's money, the client could have been alerted sooner and the full deposit monies might have been recovered.
In these circumstances, LeO recognises that both service providers and their clients are victims of the cybercrime.
However, LeO expects firms to implement reasonable safeguards and have processes in place to mitigate the risks of a cyberattack to the firm and its clients.
Resolving the complaint
The firm was directed to pay £27,000 – the difference between what was lost and what the bank had managed to recover from the fraudster’s account.
The client was also awarded £500 compensation for the distress and inconvenience caused as a result of the poor service.
Avoiding future complaints
Where client money has been lost, firms should:
- immediately notify the police/Action Fraud, the Solicitors Regulation Authority, and their professional indemnity insurers
- follow the Law Society’s practical guidance on what firms should do it they are the victim of cyberattack
Following this guidance will assist firms to recover the stolen funds or help to mitigate the situation.
Complaints arising from clients about losses incurred as a consequence of a cyberattack should be treated as any other complaint under a firm’s internal complaints process.
To avoid similar complaints, it’s important to make sure that:
- your firm has adequate and appropriate systems and policies in place to mitigate against cybercrime – LeO’s approach to dealing with cybercrime indicates the basic level expected
- you warn your clients about the risks of cybercrime at the outset
- you consider providing your firm’s client bank account details by letter or in person
- you advise your client that law firms rarely change their bank details and if they receive any communication purporting to make changes, they should immediately speak to the fee earner dealing with the matter or a senior member of staff on the firm’s published telephone number, which can be verified on Find a Solicitor
- you consider embedding a process asking clients to make a small payment to your client account first and then check that your firm has received it using known contact details before the rest of the funds are transferred
Supporting you and your firm
The legal sector is at significant and growing risk of cybercrime, cyberattacks and scams.
Explore our cybersecurity resources to support to help you understand and mitigate risk
Explore best practice guidance on handling complaints and what to do when a compliant goes to LeO.
LeO’s Scheme Rules were updated from 1 April 2023. Find out how the changes impact complaints handling.
If you’re grappling with a complaint and would benefit from free and confidential support, contact our Lawyerline helpline service or call 020 7320 5720 from Monday to Friday, 9am to 5pm.