Legal

Defending against conveyancing fraud in 2026

Conveyancing fraud — particularly payment-redirection attacks against completion funds — remains one of the largest financial loss categories for UK law firms. The patterns separating firms that get hit from firms that don't are now well understood.

Legal7 min read

How the attack actually works in 2026

The dominant pattern is no longer a crude spoofed email. It is account takeover — usually of one party in the transaction chain (often the buyer or the estate agent) — followed by mailbox rule manipulation and a carefully timed message that diverts the completion funds at the last possible moment.

Attackers sit in the compromised mailbox for days or weeks, reading genuine correspondence so the fraudulent message arrives in the right tone, on the right thread, at the right time. By the time anyone notices, the funds have been moved through several mule accounts.

The technical controls that actually move the needle

No single control prevents conveyancing fraud. A layered approach addresses each stage of the attack chain.

  • Enforce phishing-resistant MFA (FIDO2 / passkeys) for every fee earner and partner — not SMS or push.
  • Configure conditional access to block legacy authentication and require compliant devices.
  • Enable Microsoft 365 mailbox auditing and alert on new inbox rules, forwarding rules and OAuth grants.
  • Apply strict DMARC (p=reject), SPF and DKIM on every domain the firm sends from.
  • Deploy a sandboxing email gateway with safe-links rewriting and impersonation detection.
  • Lock down OAuth third-party app consent — require admin approval.

Process controls that stop the loss

Technical controls reduce the probability. Process controls reduce the impact when prevention fails.

  • Issue bank details once, in writing, at the start of the matter — and never change them by email.
  • Verify any change to payment instructions by a callback to a previously known number, not one in the email.
  • Use the Law Society's recommended wording in client-care letters.
  • Sending bank details as an attachment to a routine email thread — that is the exact pattern attackers imitate.
  • Relying on a single fee earner to spot a sophisticated thread-hijack.

Partner and client awareness

The compromised mailbox is rarely the firm's own — it is usually the buyer, the seller or the agent. That means client and partner awareness is part of the firm's defence, not just internal training. A simple, plain-English warning on every client-care letter and a brief verification call before completion materially reduces the loss rate.

Key takeaways
  • Modern conveyancing fraud is account takeover plus thread hijack, not crude email spoofing.
  • Phishing-resistant MFA and mailbox-rule alerting are now baseline controls.
  • Process controls (callback verification, fixed bank details) stop the loss when prevention fails.
  • Client and partner awareness is part of the firm's defence — the compromised mailbox is rarely your own.
Talk to us
Book a cyber security assessment
More reading
Back to all resources