Authorised Push Payment Fraud And Organised Crime

Through two short case studies we show you how law firms can be susceptible to Push Payment Fraud; and how you can mitigate your risks with some simple steps

In the opening six months of 2019, over £209 million was lost to cyber criminals successfully carrying out push payment fraud attacks. 

Essentially, this type of fraud sees the criminal hacking into email accounts or spoofing a business’ domain in order to convince the consumer into thinking they are a legitimate organisation. The consumer will then willingly transfer funds into the fraudsters account who will then swiftly scarper with the money. 

Unfortunately for the UK, this type of fraud was extremely lucrative last year, increasing by 40 per cent since 2018 when £148.2 million was lost in the opening six months, according to UK Finance.  

The legal sector is extremely susceptible to this type of fraud with criminals looking to hack email correspondence before redirecting messages and using convincing social engineering tactics to intercept messages and steal a buyer’s hard-earned transaction funds. 

In the first week of March 2020 alone, two cases hit the news emphasizing the scale of the problem and the impact it can have on the home buyer.  

Case Study 1 – The scale of the problem 

Unfortunately, the legal sector is not just dealing with a single criminal in a dark room chancing their arm at achieving the goal of stealing the funds from a property transaction. Fraudsters are convincing and can consider all the bases to look convincing. 

Five criminals were arrested recently for ‘payment diversion’ crimes worth in excess of £10 million. 

In total, 235 individual frauds had been committed over a five-year crime spree between 2014 and 2019 by the group. 

In most cases, the criminals would hack into email addresses using Malware, gain access and then lie in wait. The accounts were then monitored until they spotted signs of activity involving transfers of money. At this point the group intercepted the communication and convinced the victim to divert their payments into the accounts controlled by the fraudsters. 

What was extremely worrying to the North London Economic Crime Unit was the control of legitimate bank accounts the organised crime unit, ran by Olumuyiwa Ogunduyile, had access to. The investigation uncovered at least 100 mule accounts, harvested by ‘mule herders’ who convinced people to sell their details and accounts to the group. 

When these criminals have the technical understanding to hack into legal and business email accounts and they have use social engineering tactics to successfully imitate a firm, it becomes almost impossible to differentiate between fraudster and law firm. 

Criminals research law firms, even contacting the firm in order to ascertain the tone and language they use; even asking for quotes in order to gain access to a law firm’s footer so they can create identical message templates to increase the legitimacy of their deception. Law firms need to become adept at finding ways to prevent their digital presence from being breached or promote the issues so they can be quickly identified. 

Case Study 2 – Law Firms Remain Vulnerable and Consumers Suffer  

The Guardian recently published a story on Sally Flood, who has fought hard for over a year to recoup two thirds of her losses suffered from an authorised push payment scam. 

After suffering the loss of her father in 2018, Ms Flood attempted to invest the £95,000 inheritance she received by buying a property intended for her children.  

Ms Flood and her conveyancer were in regular contact throughout the conveyancing stage of the home buying and selling process. 

Unfortunately, unbeknownst to her, the conveyancing department’s emails had been hacked and intercepted. Sally continued to communicate via email and was asked to transfer half of the money by the fraudsters.  

£50,000 was transferred and Ms Flood sent an email asking for receipt of the funds, which the fraudsters duly sent. The following day, the remaining £47,500 was sent to a second Lloyds account. At this point, communication ceased on the fraudsters side, they withdrew the majority of the money and left with their reward. 

The bank was able to freeze the account when they realised what had happened and returned the remaining funds, £4,470, to Ms Flood. However, they were unwilling to repay the money she lost in the transaction. 

Because the conveyancing firm was responsible for failing to adequately secure its digital communications, they paid £57,000 to Ms Flood but she is still to reclaim around £35,000 and has struggled to reclaim anything for over a year. 

In addition to the reputational damage a law firm will suffer following a fraud of this nature, the financial implications through reimbursing clients and subsequent increased PII premiums could leave a firm struggling. 

On top of that is the human cost. Frauds are now very convincing, and many consumers will be tricked by criminal email communications. 

If law firms are unable to provide additional consumer education on cyber threats, myriad buyers will end the process heartbroken, without their home and their funds. 

Despite the voluntary code set up by the majority of high street banks to return money, up to £1 million, to victims of push payment scams, less than a fifth (19 per cent) of funds are returned, according to the UK Finance report.      

In order to ensure your firm’s reputation and financial security is protected you should: 

  • Educate all employees in the business. A robust cyber security culture embraced from the top down is an absolute must; 
  • Educate consumers by reminding them that you will never ask to change bank details and highlight some of the tell-tale signs; 
  • Don't leave it to chance. Adopt a risk assessed approach and ensure your checks reflect the levels of risk involved.


Lawyer Checker clients have access to a range of fraud mitigation tools, including our popular law firm to law firm bank account verification service, our law firm to client bank account verification service and remote client ID tool. 

To find out more about how we can help you continue to mitigate the risks of funds transfer fraud please contact Tom Lyes ( on 0800 133 7127