Law firms move large sums at predictable moments, and criminals know it. Completion monies, settlements and client-account transfers are all arranged by email. If your domain can be spoofed, a criminal can pose as your firm to clients and the other side at the exact moment money is due.

How Solicitors get targeted

Conveyancing "Friday afternoon" fraud

Just before completion, a buyer receives updated bank details that look like they came from your firm. The deposit or completion money goes to a criminal. It is the most common and most damaging fraud in the sector.

Client and counterparty impersonation

Fake emails in your name reach clients, estate agents and other solicitors, or fake client emails reach you. Either one breaks the chain of trust a transaction depends on.

SRA and client-account duty

You are accountable for client money and confidentiality. A compromise through email is a reportable matter and a regulatory risk, not only a financial one.

Silent inbox compromise

Criminals monitor a fee-earner mailbox for weeks, learning matter references and completion dates, then send one perfectly timed fake.

What this looks like in practice

A buyer received an email two days before completion, from what looked exactly like their solicitor, giving new client-account details "due to a bank change." They transferred £220,000. The firm had never sent it, but its domain had no DMARC enforcement, so the spoof was indistinguishable from the real thing. The money was gone.

Your quick checklist

  • DMARC set to reject on your firm domain
  • SPF listing your case management and email platforms
  • MFA on all mailboxes
  • Bank details issued once, in writing, with a clear "we will never change these by email" warning
  • Completion-money changes verified by phone to a known number
  • Awareness training for fee-earners and support staff

Questions we get asked

We warn clients we never change bank details by email. Is that enough?

It helps, but if your domain can be spoofed a criminal can send a convincing email that appears to override your warning. Locking down the domain removes the impersonation route entirely. Do both.

Our case management system has secure messaging. Do we still need this?

Secure portals are good, but plenty of client and counterparty contact still happens over ordinary email. If your domain is spoofable, that channel is exposed. The check looks at the domain itself.

Would the SRA expect us to have this?

The SRA expects firms to protect client money and data with appropriate measures. Email authentication is a recognised, low-cost control. If a conveyancing fraud happened and your domain had no protection, that gap would be hard to defend.

Run the free check above to see whether your firm domain can be impersonated, and get a plain-English list your IT team can action.