The rising scam: a hacked solicitor email diverts conveyancing funds; the PII Limit Part 2 social engineering carve-back; the cyber policy crime cover; the bank’s APP fraud Mandatory Reimbursement obligation. A four-way puzzle.
A two-partner conveyancing firm in the South-East is acting for the buyer in a £640,000 freehold purchase. Completion is scheduled for 21 March. On 18 March the firm’s senior partner replies to a phishing email purporting to be from Microsoft. She enters her M365 credentials into a clone login page. Multi-factor authentication is not enforced on her account because she travels regularly and the firm allows “trusted device” sign-in.
The attacker quietly accesses the partner’s inbox. Over the next three days the attacker reads correspondence with the buyer, the seller’s solicitor, the lender and the estate agent. The attacker identifies that the buyer is wiring £640,000 to the firm’s client account on the morning of completion, and that the firm typically emails the client a final completion statement with bank details two days before.
On the morning of 19 March the attacker, using the partner’s compromised account and reply-rules to hide their activity, sends the buyer a corrected completion statement: “we have updated our client account details, please use the bank details below” with a different sort code and account number controlled by a money mule. The fraudulent statement uses the firm’s letterhead PDF, the partner’s signature block, and is sent from the partner’s own email. The buyer, unsuspecting, wires £640,000 to the fraudulent account.
The firm and the buyer discover the fraud on completion day when the seller’s solicitor calls to ask where the money is. The funds have already been onward-transferred and only £42,000 is recoverable from the receiving bank.
The buyer demands the £598,000 from the firm. The firm has cyber insurance with a social engineering sub-limit; a PI policy with an SRA MTC form; commercial crime cover (a separate policy); and the bank has obligations under the APP Fraud Mandatory Reimbursement Scheme.
Who pays?
The buyer’s loss is the £598,000 unrecoverable funds plus any consequential costs (rate-lock fee, accommodation, removal). The buyer’s recovery rights span several pillars.
Against the solicitor — breach of duty. The buyer was not a client of the solicitor (the solicitor acted for the buyer in the conveyancing). The duty owed by the solicitor in respect of client funds and instructions is established in AIB Group (UK) Plc v Mark Redler & Co Solicitors [2014] UKSC 58 and in the line of authority on solicitors’ undertakings. The duty to maintain secure communication infrastructure has been the subject of recent professional negligence litigation including Dreamvar (UK) Ltd v Mishcon de Reya [2018] EWCA Civ 1082 and the line of authority on breach of undertaking and breach of trust where solicitors have paid away funds on fraudulent instructions.
Against the bank — APP fraud refund. Under the UK’s Mandatory Reimbursement Scheme for authorised push payment fraud (which became fully operational under PSR guidance in October 2024), where a consumer is tricked into authorising a payment to a fraudster, the sending bank (and the receiving bank) bear joint liability for reimbursement up to £415,000 per claim. Consumer Standard of Caution applies. The scheme covers domestic faster payments and CHAPS where applicable.
Against the attacker — recovery in tort and crime. Theoretically available, practically rare to recover funds beyond the initial trace.
Against the firm’s SRA Compensation Fund. Where a client has lost money due to a default by a solicitor acting in the firm’s practice, the Compensation Fund may pay subject to its rules. Not directly applicable to a non-client buyer in this scenario but worth flagging.
The firm’s cyber policy carries a £2m limit with a £250,000 sub-limit for social engineering fraud / funds transfer fraud.
The cyber policy may respond in three ways.
First-party incident response. The forensic investigation of the compromised mailbox, the legal advice on UK GDPR notification (because the attacker had access to personal data), and the system clean-up. Cyber pays — typically £40k–£80k of cost for this scale of incident.
Social engineering / funds transfer fraud. The cyber policy’s crime sub-limit responds to the insured’s direct loss where the insured has been tricked into transferring funds. In this scenario the insured firm was not tricked into transferring funds — the buyer was. This distinction matters. Many cyber social engineering wordings require the loss to be the insured’s own funds or funds in the insured’s control. The buyer’s funds, en route from the buyer’s account to the fraudster’s account, were never in the firm’s control. The wording question is whether the firm’s vicarious liability to the buyer for the buyer’s loss is itself covered as a third-party liability, or whether the social engineering head is restricted to first-party loss of the insured’s funds.
A well-drafted cyber policy will have a system intrusion liability head that responds to third-party loss where the third party transferred funds in reliance on a fraudulent instruction sent from the insured’s compromised system. Not all wordings do.
Third-party liability for the buyer’s claim. Even where social engineering is restricted to first-party, the cyber policy’s broader liability head may respond to the buyer’s claim if the buyer pleads it as flowing from the firm’s security failure. This is more cleanly the home of the PI policy, but cyber may sit alongside.
The firm’s PI policy is SRA Minimum Terms compliant with £3m primary cover.
The buyer’s claim against the firm is civil liability arising out of the conduct of the practice. The SRA MTC require the policy to respond. PI pays the £598,000 (subject to excess and within limit).
Two complications.
The PII Limit Part 2 social engineering carve-back. Some markets have responded to the rise in cyber-driven PI claims by introducing a sub-limit specifically for cyber-event-related claims under PI, often called a Part 2 limit. Where this clause appears, cyber-driven PI claims sit in a smaller sub-limit (often £250k or £500k) and the cyber policy fills the gap. The SRA’s clarification position in 2023 is that the MTC limit must be applied without reduction for cyber-related claims when the policy is in the form approved for solicitors. Non-MTC policies may carry the Part 2 carve-back.
The cyber exclusion. Some non-solicitor PI wordings exclude cyber-event-related claims altogether. The LMA5400 series and analogous clauses can carve out a claim of this character. For solicitors, SRA MTC overrides; for accountants, IT consultancies, surveyors and other professions, the exclusion may apply.
In this scenario the firm is SRA-regulated and the MTC apply. PI pays in full subject to the £25k excess.
The firm holds a separate commercial crime policy with a £1m limit. This responds to the insured’s loss from theft or fraud. The buyer’s loss is not the firm’s loss; the crime policy does not respond.
If, however, the firm had been required to top-up the buyer from its own funds (which it may have to before the PI policy responds, to maintain client relationships), the crime policy might pick up a portion. The standard wording is restrictive.
Under the Mandatory Reimbursement Scheme, the buyer is entitled to reimbursement by the sending bank for the £598,000 unrecoverable loss, subject to the £415,000 cap, subject to the Consumer Standard of Caution (which broadly asks: did the consumer take appropriate care?). Liability is shared 50/50 between sending and receiving bank.
The buyer in this scenario receives £415,000 from the bank under the APP scheme. The buyer is still £183,000 out of pocket, plus consequentials.
Tying it together with the recoveries flowing:
| Head | Amount | Initial payer |
|---|---|---|
| Buyer’s loss recoverable from receiving bank | £42,000 | receiving bank |
| Buyer’s loss under APP Mandatory Reimbursement | £415,000 | sending bank (then split 50/50 with receiving bank) |
| Buyer’s residual loss claimable from firm | £183,000 | firm’s PI policy |
| Firm’s incident response costs | £75,000 | cyber |
| Firm’s data breach notification (no live notifiable breach in this scenario) | nil | n/a |
| Firm’s regulatory defence (SRA) | £20,000 | PI defence head |
| Firm’s lost productivity / opportunity | £55,000 | uninsured |
| Total third-party loss | £640,000 | mixed |
| Total firm out-of-pocket | ~£100,000 | excess + uninsured tail |
The PI insurer will look to subrogate against the bank and the fraudster to the extent of the £183,000 it has paid. In practice the bank’s APP exposure and the PI exposure are negotiated to net out; the fraudster recovery is usually nil.
The firm’s productivity loss during the four-week response window. Three weeks of partner time lost from billable work. Some lost referrals because the buyer’s estate agent told other agents about the incident. The professional and emotional cost.
The narrowing of the buyer’s relationship with the firm — the firm’s future panel position with the lender if the lender takes a view on the firm. None of this is insured.
There is also a residual gap if the buyer’s loss exceeded £415,000 plus what the firm’s PI was prepared to pay. For larger conveyancing transactions (say a £2m purchase) the bank’s APP cap leaves a substantial gap that the firm’s PI either fills or doesn’t depending on the wording.
The single most important practical point: there is no single answer to “who pays”. The answer is all four of them, in a co-ordinated waterfall. Without coordination the firm and the buyer end up in litigation about who should claim against whom first.
For brokers this is the value-add. We will typically pre-agree the waterfall with insurers and (where time permits) with the bank’s claims handler.
For any firm holding client funds and operating by email:
Enforce MFA on every account including those of senior partners. The “trusted device” exception is the single most common technical root cause of these incidents in our claims book.
Adopt a “we will never email you bank details” policy and communicate it to clients in your engagement letter, on your website, and on every email signature. Bank details are sent by separate channel (verified by phone call to a number on the firm’s website, not in the email).
Treat any change in payment instruction as a red flag triggering a verbal callback to a known number.
Increase the cyber crime / social engineering sub-limit. The market norm of £100k–£250k is below the residual loss in many conveyancing matters.
For SRA firms, confirm with your insurer that the MTC overrides any Part 2 carve-back in the wording.
For non-SRA firms, read the cyber exclusion in your PI policy and ensure your cyber policy includes system intrusion liability for third-party financial loss flowing from a compromise of your systems.
Have a designated cyber incident response number to call within the hour. The clock starts the moment the discrepancy is noticed.
Q1. Could the firm have sued the buyer for the balance of the conveyancing funds? No. The buyer paid the £640,000 on the firm’s apparent instruction; the buyer’s discharge is good against the firm (the firm bears the loss of the misdirected funds, not the buyer, unless the buyer is contributorily at fault under the Consumer Standard of Caution under APP rules).
Q2. What if the conveyance is between businesses rather than consumers? The APP Mandatory Reimbursement Scheme covers consumer payments, micro-enterprises and small charities. Business-to-business payments are outside the scheme. The buyer’s recovery against the bank may then be more limited and the firm’s PI is correspondingly more exposed.
Q3. Does it matter that the partner’s account had MFA “enabled but bypassed”? For the insurance question, yes. Many cyber policies impose conditions or warranties requiring MFA on all administrative accounts, all remote access and all privileged accounts. A “trusted device” exception may be a breach of those conditions. Disclose accurately at proposal.
Q4. What if the buyer’s bank refuses to reimburse under APP, claiming a Consumer Standard of Caution failure? The buyer can complain to the Financial Ombudsman Service. In the interim the buyer’s first port of call will likely be the firm. The firm’s PI then carries the loss subject to subrogation.
Q5. Is paying the buyer voluntarily before the insurer’s coverage decision a problem? Yes — most policies require the insurer’s consent for settlement. The exception is “small payments” within the policy’s settle-without-consent authority (often £25k–£100k). For larger sums, the firm must obtain consent or risk losing cover for that head.
Q6. Will the receiving bank’s failure to spot the suspicious account affect liability? Under the APP scheme the receiving bank is jointly liable. The receiving bank’s KYC failures may also create a separate cause of action by the buyer (in negligence or under the bank’s regulatory obligations), but this is rarely the buyer’s primary route of recovery.
Q7. Should the firm notify the SRA? Yes. SRA notification is required for any matter that may impact on the firm’s ability to provide services or its financial standing. A live fraud incident of this scale is notifiable. SRA Code of Conduct paragraph 7.7 covers material breach reporting.
Q8. Are deepfake voice calls covered the same way? Increasingly an issue. A fraudster impersonating a partner by voice (especially using a generative model) instructing a junior to transfer funds is functionally similar. Cyber social engineering cover often does respond. Read the wording — older policies may not.
Dreamvar (UK) Ltd v Mishcon de Reya [2018] EWCA Civ 1082. AIB Group (UK) Plc v Mark Redler & Co Solicitors [2014] UKSC 58. Payment Systems Regulator policy statement on the Mandatory Reimbursement Scheme for APP fraud. Faster Payments Scheme reimbursement rules effective October 2024. SRA Code of Conduct for Firms, paragraphs 7.7 and 7.8. SRA Minimum Terms and Conditions. SRA clarification on cyber-related claims under MTC (2023). Insurance Act 2015, section 3. LMA5400 cyber endorsement series (Lloyd’s Market Association).
Hub: Cyber vs PI — where cover ends and begins Spoke 1: Solicitor data breach claim — cyber or PI? Spoke 6: The notification clock problem Spoke 10: Broker due diligence at PI renewal
Disclaimer: Insurance and legal commentary, not advice on your specific cover. Cyber and PI policy wordings vary materially across insurers — always read your specific policy or ask your broker. Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority, FRN 724952.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote