UK Banks and Solicitors Need to do More to Prevent Fraud

The Telegraph is reporting a series of cases where criminals have compromised the email communications between home buyers and their solicitors^[1], and attempted to direct the money intended for the house purchase into the criminals' bank account. I really should not need to say this, but email is not a secure medium for financial transactions. It's important never to put your credit card information into an email, but it's even more important not to rely on email for bank transfer instructions for hundreds of thousands of pounds or dollars. Email hacking is offered as a cheap and readily available service. Just a couple of days ago, some enterprising hacker attempted to post this as a comment on the Cloudmark blog:

It's not certain from the Telegraph report if the criminals compromised the email account of the purchasers, the solicitors, or conducted some sort of man-in-the-middle attack. However, there have been of several attacks of this type, it's probable that solicitors are being systematically targeted by hackers. The Telegraph recommends using encrypted email for important communications. While this is a good idea, it is not particularly straightforward, and will not work unless both parties agree to do it. The simplest way to encrypt email is the Mailvelope browser plug in for Chrome or Firefox. This lets you use PGP encryption on all the major webmail services. However, no amount of encryption can help you if your email account credentials have been compromised, or if your password is Passw0rd. To protect yourself from this sort of hacking it is vital to turn on dual factor authentication (2FA) for your email account. Any solicitor or other high value target who does not have 2FA enabled for all email accounts is putting themselves and their clients at significant risk. Here are links telling you how to enable 2FA for the major webmail services. If you use one of these services and don't use 2FA, I suggest that you stop reading this blog post, turn on 2FA, and then come back and read the rest of the article. Seriously, do it now.

• Gmail
• Yahoo! Mail
• Outlook

Even if you use encrypted email and 2FA, you should still confirm large financial transactions with a phone call initiated by the sender to a phone number for the recipient obtained from a public source. In this case "large" is any amount of money you can't afford to write off to experience. The Telegraph report highlights how frustrating it can be to attempt to report fraud to a UK bank. One couple reported the fraud to their bank, the criminal's bank, and the police. The criminal's bank would not talk to them as they were not customers, and when the police managed to recover the bulk of the stolen funds, they were unable to notify the victims in a timely fashion as the victims' bank would not release their contact details to the police. In a similar fashion, when a company with close ties to Cloudmark detected a spear phishing email requesting a large wire transfer to a UK bank, the bank in question said they could not take any action against the criminals' account as there had not yet been any financial loss reported. Banks quite rightly have strict regulations to protect the privacy of their customers and the integrity of their accounts. However, it's important to protect crime victims as well, even if they are not your customers. I would like to see the UK banks set up a joint bank fraud agency which can accept reports from anyone, and coordinate the response with law enforcement and the banks involved. Footnotes: 1 Solicitor: In the UK, a lawyer who does not plead cases in court. For many solicitors, processing real estate purchases ("conveyancing") is a bread and butter business.