Completion fraud and conveyancing: the email attack that keeps working

Completions cluster on Fridays. Removal vans are booked, agents are pushing, lenders want to clear funds before the weekend. Decisions get made quickly, and verification gets compressed. A fraudulent message timed to land at 14:30 on a Friday lands in a different mental state than the same message on a Tuesday morning.

Attackers know this. The peak hour for completion fraud attempts is the few hours before lenders' end-of-day cutoffs on Fridays.

Almost always a credential phish on a fee-earner or assistant mailbox. The message looks like a Microsoft 365 sign-in prompt for a shared document. The link goes to a phishing page that captures username, password and MFA token. Without phishing-resistant MFA, even MFA-protected accounts can be taken.

Once in, the attacker creates a small inbox rule to hide their activity (often moving the genuine reply to RSS Feeds or to a sub-folder of Deleted Items), and then waits. They're looking for a matter approaching completion, with bank details about to be sent.

When the moment arrives, they either send a 'corrected' bank details email directly to the client from the compromised mailbox, or they spoof the firm's domain. Either way, the client sees a message that looks legitimate.

MFA via conditional access, with phishing-resistant methods for conveyancers in particular. Authenticator with number matching is the minimum. FIDO2 security keys are better for partners and senior conveyancers.

Impersonation protection enabled rather than left in audit mode. It's not enough to have the licence; the policy has to be enforcing block on suspicious internal-like external messages.

DMARC enforced, not 'p=none'. This is the control that stops attackers spoofing your domain to your own clients. Setting it up properly takes a few weeks of careful work, particularly if your firm uses multiple email-sending services (case management, e-signature, marketing). It's worth every hour.

A hard-coded rule that bank details are never changed by email. Confirmed by phone using a number the client already had before the matter started, not a number provided in the email. This rule should be in every engagement letter, every email signature, and every client call at instruction.

The SRA Standards and Regulations include explicit expectations around competent use of technology, protection of client confidentiality, and management of risks. The various Warning Notices on cybercrime, particularly the one on fraudulent emails, are increasingly cited in investigations.

Firms that have suffered completion fraud and can't show they had reasonable controls in place face significantly worse outcomes than firms that had the controls and still got unlucky. The SRA's tone has shifted noticeably towards expecting evidence of the basics.

PII renewals for conveyancing firms now ask explicit questions about MFA coverage, email security, payment verification processes and incident response. Vague answers produce premium increases. Specific evidence produces stable renewals.

Some insurers will refuse cover for firms that can't demonstrate the basics. The market for conveyancing PII has tightened to the point where this is no longer hypothetical.

The first hours matter most. Isolate the compromised mailbox, revoke session tokens, reset credentials and MFA, audit inbox rules, and identify everyone who received messages during the dwell period. Then start the difficult conversations with clients, with insurers, and with the SRA.

An incident response retainer with a partner who knows the legal sector is cheap relative to the cost of working it out on the day. The firms that come out of these incidents best have usually had the conversation about who they'd call before they needed to call them.

A conveyancing practice where MFA is phishing-resistant, DMARC is in enforce, the impersonation policy is doing its work, clients know that bank details don't change by email, and every fee-earner has been trained on the patterns the attackers actually use.

Attacks still come. They don't land. The boring controls do the work, and the Friday afternoon is exactly as quiet as it should be.

An underrated control is client education. Clients who understand that bank details never change by email, who know to phone a number they wrote down at instruction, and who have been told this often enough to remember it under pressure, are dramatically harder to defraud.

Build it into the engagement letter, the welcome pack, the email signature and the completion checklist. Repetition is the point. The client only has to remember once, on the day, and the repetition is what makes that recall reliable.