This month, Conveyancing Association director of delivery Beth Rudolf explains why cybercrime leaves every firm exposed and says it’s a risk every member of the team must take seriously.
It is always tempting to think cyber-crime and attempts at fraud sits somewhere outside the day-to-day reality of conveyancing, handled by IT teams, insurers or systems sitting quietly in the background. But a session delivered by Francis West, CEO of Security Everywhere at our recent Conveyancing Association member meeting, brought that assumption into sharp focus and made clear the real risk sits much closer to home, with people, processes and small gaps in behaviour often providing the easiest route in.
Francis opened with a line that seemed to land with everyone in the room: “They don’t hack in… they log in.” That point alone reframes how we should all be thinking about cyber security, because it is far less about dramatic breaches and far more about access being handed over, often without anyone realising.
For a sector that routinely handles large sums of client money and highly sensitive personal data, that should be a concern for every firm owner, but just as importantly for every member of staff who is dealing with emails, documents, mobile devices and client interactions on a daily basis.
The scale and speed of the threat
The scale of the issue is not theoretical either. According to Report Fraud (previously Action Fraud), £11.7 million was lost to conveyancing fraud in the year to March 2025. While that figure is significant in itself, the more sobering point Francis made is how quickly a single e-mail or compromised log-in can lead to that loss, often without any obvious warning signs beforehand.
What came through strongly in the session was the most common threats are not complex or technical in nature, but familiar and, in many cases, preventable. E-mail attacks remain the primary route in, with one fake message potentially leading to a diverted deposit, while domain spoofing allows criminals to impersonate firms convincingly enough to trick both clients and colleagues.
Alongside this sits the growing trade in stolen ID documents, which are bought and sold online and then used to support fraudulent transactions, as well as ransomware attacks which can bring an entire firm to a halt, stopping completions and putting both money and reputation at risk.
The myths that leave firms exposed
Perhaps most striking part of the session was the focus on the myths that still persist within the sector, including the belief that being a smaller firm reduces the risk, that cloud systems provide full protection, or that having cyber insurance in place somehow removes the exposure.
In reality, as Francis pointed out, these assumptions can create a false sense of security, and in some cases make firms more vulnerable because the basics are overlooked. The idea that ‘we are covered’ is often the very thing that stops firms from asking the harder questions about where their real weaknesses sit.
Simple behaviour changes that make a difference
This is where the session became particularly useful because it did not just highlight the risks, but also set out practical steps that both firms and individuals can take immediately.
Some of these are simple behavioural changes which, if adopted consistently, would close off a significant number of entry points. For example, turning off mobile phone notifications for messages may seem minor, but if a device is compromised, visible one-time passcodes in notifications can allow immediate access to accounts.
Password management was another area where Francis challenged common practice, particularly the tendency to create variations on familiar words, which can now be broken quickly using automated tools, especially as AI increases the speed at which passwords can be tested. His advice was clear: do not create your own passwords, use a password manager and let it do the work.
There was also a useful reality check on tools that are often assumed to provide protection, such as VPNs, which do not remove the risks linked to unsecured networks, meaning using a personal hotspot is often a safer option when working remotely.
The role of mobile and personal behaviour
What stood out here is that these are not expensive fixes or major system changes, but small adjustments in behaviour which, when applied consistently across a firm, can reduce risk.
At the same time, Francis made it clear that firms need to think beyond the office environment, particularly when it comes to mobile devices and personal behaviour, because the lines between work and home are increasingly blurred. One suggestion which resonated strongly was agreeing a simple family verification method, such as a shared password, to confirm identity if a message appears suspicious, recognising social engineering does not stop at the workplace.
Preparing for when something goes wrong
There was also a clear warning around ransomware, where the instinct to pay in order to regain access can actually increase future risk, as firms that pay can be identified and targeted again, which underlines the need for preparation and clear response plans rather than reactive decisions under pressure.
That preparation point is worth dwelling on, because one of the most practical suggestions from the session was also one of the simplest: having clear, printed instructions on what to do if someone clicks on a malicious link, placed somewhere visible and accessible so staff can act quickly without having to search for guidance.
It is easy to overlook how important that is, but in the moment where an incident occurs, speed and clarity of response can make a real difference to the outcome.
A shared responsibility across the firm
For firm owners, the message is that cyber security cannot sit solely with IT or compliance, it has to be embedded across the business, with clear expectations, simple processes and regular reinforcement.
For staff, the takeaway is they are not just part of the system, they are often the first line of defence. Their actions, whether that is spotting a suspicious e-mail or following the right steps after clicking a link, can directly prevent loss.
What this session ultimately highlighted is that conveyancing will continue to be a target because of the nature of the work and the money involved, but that does not mean firms are powerless.
The focus needs to shift from assuming protection is in place to understanding where the real risks sit and addressing them in a practical, consistent way.
About the author
Beth Rudolf is director of delivery at The Conveyancing Association. After starting working life as an estate agent, she became a licensed conveyancer and now works with the Conveyancing Association to improve the home-moving process for the consumer.
