Thursday, 3 November 2016

Does a Friday Fraud start with a Spoof Sale Memorandum ?

Conveyancing fraud is on the rise and the consequences for victims are devastating and often life-changing. It is a major concern for law firms and PI Insurers alike.  

New figures show that the rewards for the gangs are potentially huge, with each successful scam worth on average more than £112,000. It is believed that fraudsters are currently carrying out two successful conveyancing frauds a week, earning them in the region of £225,000 a week.

The criminals hack into the email chains between sellers and buyers and their solicitors and estate agents. The fraudsters then send an email – usually on the day of sale completion – informing the parties that bank account details have changed at the last minute and that money should be deposited in a different account.

Lexsure have some interesting thoughts on how some criminal gangs may be starting the ‘phishing’ process and accessing email accounts in order to ultimately commit their crime.

Conveyancing lawyers frequently receive a sales memorandum by email. I would anticipate that the vast majority of conveyancing transactions include the receipt of sales memorandum and then follow up with a contract package all sent as email attachments.

Lexsure have reason to believe that firms are being sent what appears to be legitimate emails attaching a contract package or other ‘early stage’ documents such as a sales memorandum.

The emails that I have seen show the logo and name of legitimate law firm. They are very convincing. The wording for one email is as follows:

[subject line: Sales Memorandum]

Dear Sirs,
We refer to the above and following receipt of the sales memorandum we now enclose our contract documentation for your attention and approval.
I look forward to hearing from you with any enquiries as soon as you are able so we may proceed further in this matter.
If you have any queries then please do not hesitate to contact me further on the details below.
Kind Regards.

One clue that this is a ‘spoof email’  is the fact that the email is sent from a Gmail account. The reason for this is that the email is less likely to be caught by the recipient’s spam filters. Lexsure have been in touch with Google to inform them of the ‘phishing emails’ that we have seen.

Note the filename suffix of the attachment is .pdf.htm. HTML attachments are rare, and no legitimate attachment has a .pdf.htm suffix.  The file, when downloaded and run from the desktop will be executed by the web browser (typically Internet Explorer or Chrome).  It impersonates a password-protected PDF file  like so:

  1. The web page first pops up a dialog box :
2) And then displays the fake document, designed to create the illusion of a password-protected PDF document.

The user is prompted to enter their email address and a password.  If they click “View Document” the user’s credentials are shipped to the attacker’s server (in this case, at an ISP in Kentucky).

Now that the attacker has the user’s credentials, they may wreak havoc.

Lessons to be learnt :

  • Be extremely cautious about opening what appear to be standard documents in the conveyancing process. Examples may be Sales Memorandums, Contract packages, Redemption Statements etc. If unsure phone the sender and make further enquiries.
  • Be sure that the sender's email comes from a known recognised domain rather than a public email provider such as Gmail, AOL, Yahoo etc .
  • Do not input your email address and password in order to open up an attachment.
  • COMPLETIONmonitor users who have concerns about the legitimacy of an email may forward it to the support team at to conduct a safety check.

No comments:

Post a Comment