Scammers continue to find new ways to con people into handing over their cash, with some types of fraud, such as identity theft, recently hitting all-time highs.
On a daily basis, Guardian Money hears from people who have fallen victim to criminals and are desperate for our help. The sums involved can range from less than £100 to six figures, and, in some unfortunate cases, people have lost their life savings.
According to the banking trade body UK Finance, fraudsters stole more than £1.2bn from UK consumers in 2022 – equivalent to more than £2,300 every minute – which the organisation described as “a staggering figure”.
The cost of living crisis has made some financially squeezed individuals more susceptible to approaches by scammers, many of whom offer fake deals and discounts in an attempt to steal personal and financial information.
Below are just a couple of examples of people who have recently come to us for help. And here we highlight some of the scams doing the rounds and how to avoid them, and what you should do if you think you have been caught out.
‘I lost everything when buying a house’
When the completion date for Andrew White’s* house purchase was getting near, he received an email from his conveyancing firm advising him when and where to pay the deposit. He subsequently transferred the funds to the nominated bank account.
It was only when he emailed the company to confirm it had received the money that he discovered that the sum had not arrived.
A scammer had hacked into the email exchanges between him and his solicitor and, messaging from the same email address, had directed him to pay the funds into a bogus account. He lost £240,000.
White is one of a growing number of property buyers who have been scammed out of their deposits after an email hack.
Conveyancing fraud, also known as “Friday afternoon fraud”, has accelerated since the Covid pandemic, according to property insiders, as solicitors and clients increasingly liaise remotely.
Hackers tend to strike on a Friday afternoon because it means victims may not realise they have been scammed until the law firm reopens the following Monday.
They hack into the email account of either the conveyancing company or the client and intercept correspondence about a property purchase.
If it is the company’s account that has been compromised, the fake messages are often sent from the solicitor’s actual email address. If the client’s account has been targeted, the fraudster creates an email address almost identical to the solicitor’s and copies the headers and footers used in the genuine correspondence.
Posing as the solicitor, they then direct victims to pay their deposit into an account controlled by the scammer. Typically, by the time the fraud is discovered, the money has long since vanished.
Law firms routinely inform clients that bank account details will never be provided via email. However, these warnings are often tucked away in introductory packs received weeks before the completion day and in the footers of emails, where they are easily overlooked.
White, who has used the same solicitors’ firm for family business for many years, says he had no reason to suspect that anything was amiss, even though the company name on the bank account provided differed from the law firm’s. The emailed instructions bore the name and genuine email address of the solicitor handling his purchase.
White made nine payments over 10 days, since his bank, HSBC, would only allow him to transfer a maximum of £25,000 a day. He claims that the bank did not question the uncharacteristic transactions.
“I lost my entire retirement money through buying a house to be closer to my family,” White, an RAF veteran, says.
“The solicitors have refused to accept that their email systems have been compromised and insist that a short sentence at the base of their emails alluding to fraud is sufficient to negate any responsibility on their part.”
White was refunded after the Financial Ombudsman Service (FOS) decided that HSBC had not sufficiently questioned the multiple payments.
Under the industry’s contingent reimbursement model (CRM) code – a voluntary code outlining when defrauded customers should get back their cash – banks have promised to refund scam victims who have not been unduly negligent.
An HSBC spokesperson says: “Protecting customers from unscrupulous fraudsters is a priority for us. The customer has been reimbursed in full.”
Cyber-attacks make up 75% of reported crime in the UK, and law firms are a favoured target because they typically receive large payments and store sensitive information about clients. In a 2020 survey, the Solicitors Regulation Authority (SRA) said 30 of the 40 firms it had questioned reported that they had experienced at least one cyber-attack, resulting in a combined loss of £4m of client money. The remainder were aware of clients who had been targeted.
George and Lisa Frost* lost £308,000 when a fraudster posing as their solicitor instructed them to pay their house deposit to a compromised account. The fraudster, using an email address that differed by one letter from the genuine law firm’s, had intercepted email threads two weeks earlier and sent them phoney updates about the purchase, while intercepting genuine emails from the law firm. The money was transferred via a cashier at Clydesdale Bank just before the law firm shut for the Christmas holidays. By the time the scam was discovered, the money had disappeared.
Both the bank and the law firm refused to accept liability. A spokesperson for Clydesdale, part of Virgin Money, said: “The transaction was handled by an experienced bank teller and we are satisfied that the bank fulfilled all of its duties towards our customer. Mr [Frost] signed the Chaps form confirming the payee details were correct, as well as signing the fraud prevention warning to confirm he was happy to proceed with the transaction on the details he supplied.”
The couple were eventually reimbursed by their bank after the FOS ruled that it had not taken adequate steps to protect them.
According to Arun Chauhan, a fraud and financial compliance solicitor with the law firm Tenet, companies do not do enough to warn clients of scam risks.
“That does not mean a law firm will accept that they are liable to compensate,” he says. “Banks that are signed up to the CRM code are the first port of call because if they can’t show that the victim was unduly negligent, they would probably need to refund them. If the bank is not signed up to the CRM code, the only route is to bring a professional negligence claim against the conveyancing firm, which can cost thousands of pounds in costs and fees.”
Top tips to avoid becoming a victim of conveyancing fraud include:
Consumers should beware of messages purportedly from a conveyancing firm making unexpected changes to payment dates or details, or claiming to be from a new member of staff.
Only use bank details that are provided by your conveyancing firm on paper and in person. If you receive an email claiming the account details have changed, call the firm using the number on its website or visit to check it is genuine.
Watch out for ungrammatical English or oddly phrased wording in emails. This may be a sign that a message is bogus.
Make large transactions in a bank branch if possible, and ensure to check that the account name matches the law firm’s name and the name associated with the account number.
Set secure and differing passwords on your email accounts, and visit the website haveibeenpwned.com to check if yours has been exposed in a data breach.
‘I’m always wary of scams. I can’t believe this has happened to me’
A businesswoman has been left £4,900 out of pocket after being conned by scammers pretending to be from the Halifax bank. She says they even used “exactly the same” telephone hold music.
In July, Julie Hall* received a text message purporting to be from Halifax It was among a thread of genuine messages and said her card had been used at an Ikea store and asked if she recognised the transaction. She said that she did not, and another text came asking her to contact the bank via the number given to discuss the matter.
She says she called the number “and it was answered in the exact same way Halifax answers”. Hall, from Eastbourne in East Sussex, says the man talked about her account, and also knew she had accounts with Barclays and Chase.
“He said my account had been compromised and I would need to move the money to a safe account so they could shut this one down and give me a new account number.”
The man first asked Hall to transfer £5,027 from her Chase account first. She tried but Chase would not allow the payment. The man told her to transfer a lower amount, which she did.
She transferred a little over £5,300 from her Barclays business account into her Halifax account to move across to the “safe” account.
Hall says: “I used my internet banking to do this, with codes coming from the Halifax bank to my landline, all making me believe they were genuine. I then transferred £4,900 from the Halifax to the ‘safe’ account.” It turns out the money was in fact going to an account operated by a money transfer service.
The man then started to become annoyed with Hall. She became suspicious and ended the call.
She phoned Halifax and explained what had happened but says staff were not helpful. She then phoned Chase.
Hall says: “They were extremely helpful … and said they would try all they could to get the money back. Within a few days, I had all the money lost from Chase back in my account.”
Hall complained to Halifax but the bank told her it would not refund any of the money, though it gave her an “apology payment” of £80 to recognise some failings in the way her case had been handled. She says: “If Chase can do it [give her the funds back], I don’t see why Halifax can’t.”
Hall says the man on the phone sounded authentic and, when she asked him to confirm who he was, “he gave perfectly believable credentials”. She adds: “I’m always really wary of scams. I can’t believe this has happened to me … I just feel [Halifax] have a bit more responsibility to me as a long-term customer.” Hall says the family had been saving to go to New Zealand, and the money that was taken was part of that.
Halifax says that as this payment was made via “open banking”, as opposed to via the banks’ faster payment system, it is not covered by the CRM code.
A Halifax spokesperson said: “We have a great deal of sympathy for [Hall] as the victim of a scam. We carefully review the individual details of each case reported to us and then consider a number of factors, including whether the bank could have taken any additional steps to help prevent the scam taking place, and also if our customer took reasonable care when making payments.
“In this case, while the initial payment was not out of character, based on [Hall]’s previous account activity, our fraud detection systems immediately blocked the subsequent attempted payments, as the pattern of transactions became more unusual.”
* Names have been changed