Email, interception, fraud, and solicitors

The Law Society - the official representative body for solicitors in England and Wales - runs a publication called “The Law Society Gazette”. A bit like “Heat” magazine, but different in every way.

It has a story entitled:

Emails intercepted in £640,000 conveyancing fraud

Being interested in matters of interception, and cybersecurity, I clicked.

Who intercepted what, and how?

The article is very light on detail.

It says:

the [Law] Society said criminals intercepted emails between the buyer and the buyer’s solicitor. They created an email account made to look like that of the solicitor to request payment. Payment details were provided on headed paper via the spoofed email, and the amount requested was exactly what the buyer had expected to pay.

It is not clear if the first and second sentences are connected.

Is the article saying that the actions in the second sentence amount to “interception”? If so, then I disagree: creating an email account to look like that of a solicitor, and using that to correspond with a client, may well be fraudulent, but it is not “interception”.

Perhaps it is saying that, first, the fraudsters intercepted the solicitor’s email account, and, having obtained access to the content of a communication going between client and solicitor, they subsequently set up an email account to perpetrate their fraud.

But if that latter scenario is the case, it is most unfortunate that the detail of the “interception” is omitted.

How did the interception take place? Was a solicitor’s computer compromised? Their mail server? Was it the client’s computer? Or the client’s mail server?

Was the client using the same email address and password across multiple sites, one or more of which was compromised, and not using two-factor authentication for their email account? (i.e. the fraudster had the client’s email address and password, enabling them to log into their mail server.)

Was either end using insecure Wi-Fi and an unencrypted connection to their mail server?

Unfortunately, reminders about “email interception” risk come up with reasonably regularity, but the detail is so scarce that it is hard for a firm of solicitors to do anything with that information.

What about the fraudsters creating their own, look-alike, email account?

Although the headline is about interception, it appears that the mainstay of the fraud was that the fraudsters created an account which they “made to look like that of the solicitor to request payment”.

I’m not sure there is much a solicitor’s firm can do about that, unfortunately.

Identify the problem, then the solution?

It’s tempting to dive into “what technical solution is best here?”.

But that would be the wrong approach.

First, it presumes that the issues are technology issues, or that technology is the answer. Some times it is, some times it is not. But let’s not start with the presumption that it is a technical issue.

Second, you need to know what problem you trying to solve. Otherwise, it’s just a matter of chance / coincidence if the purported “solution” actually does what you need.

Here, there’s potentially a considerable difference between:

The latter is, I should have thought, easier than the former, unless solicitors are to be held responsible for any instance of fraud suffered by a client.

(And, yes, I appreciate that drawing attention to the distinction may not be welcome. But it is, IMHO, realistic.)

That said, since most of the comments I’ve seen do not appear to distinguish between the two, some quick thoughts on the type of “solutions” which typically come up:

What about signed, encrypted email?

I’m all for signed and encrypted communications. Definitely.

But I’m not sure it is the answer here.

I offer - through my law firm, - signed and encrypted email communications. I sign every email I send by default, and I have to remember to remove the PGP signature for some recipients whose email servers struggle with it.1

Bluntly, many of my clients are geeks. Not all, for sure, but many.

And, of those geeky clients, perhaps a handful use PGP with me. Most do it occasionally, rather than every time. (Some are required to use Outlook, which, I understand, does not make PGP easy.)

If my geeky clients do not routinely use signed and encrypted email, I’m very sceptical that a conveyancing firm is going to get its clients to do so.

Moreover, I’m also sceptical that someone not used to using signed, encrypted email is well placed to verify the validity of a digital signature: a fraudster can also sign and encrypt email.

Use post?

This comes up as a “solution” occasionally.

I don’t know the question to which it is posited as a solution.

Letters are readily forged, so the fraudster sends a forged letter with the solicitor’s letterhead, bearing new bank details.

They then ring the client, spoofing the solicitor’s office number, saying:

“just ringing to confirm that our bank details have changed. We said before that you should verify this by telephone, so we’re calling to do that. For security, I confirm that there is a unique code in the letter which only we know, and it is [whatever the fraudster wrote in their letter]. But better safe than sorry, so why not make a test payment, and we’ll call you when we receive it.”.

If a client fell for the email-based scam, I could not be confident that they wouldn’t fall for this fraud too?

Some kind of hosted communications platform?

Perhaps, although it is no panacea.

I suspect we have all received smishing SMS, or phishing email, encouraging us to share our credentials with a fraudster, or else to attempting to encourage us to log into a look-alike platform.

In fact, I’d have thought that this would much easier for a fraudster than “intercepting” someone’s email?

What about “an app”?

What about something which works in a web browser, and doesn’t require an app? If an app offers an additional interface, or additional security, sure, it might be something to consider but, again, it is no panacea (especially as not everyone is capable of using your app).

How did the fraudster get the client’s information?

The fraud in the article was seemingly perpetuated because the fraudster knew:

It’s possible that they obtained this by intercepting the client’s, or the solicitor’s, email.

Perhaps they did - the article is too light on detail to be confident either way.

But is it not more likely that there was some other form of compromise?

The role of the bank?

Although the focus of the article was the solicitor, the harm happened when the client transferred the sum to the bank account of the fraudster.

The article is silent on this bit of the fraud and, in particular, whether the bank(s) involved offered “verification of recipient”.

Could a bank stop a fraudster from creating an account which bears a name very similar to that of the law firm? I’d have thought that a bank would do quite considerable due diligence first, but perhaps not enough (or it is simply not possible to do enough to mitigate risk in all circumstances)?

  1. I’m looking at you, Information Commissioner’s Office, which is ironic given your role in EIDAS. ↩︎