Property industry professionals have become key targets of cyber-attacks due to the extensive amount of sensitive information they hold on buyers and sellers and their transactions, and sadly solicitor and estate agent practices are no exception. As the property process becomes increasingly digitalised through online communication and use of third-party apps to streamline the process, solicitors and estate agents must ensure they are well-equipped to handle any potential cyber threats.

What Is a Cyber Attack?

A cyber-attack refers to unauthorised access, manipulation, or destruction of personal data through computer systems. It can include hacking, phishing, or malware attacks. Cybercriminals often target organisations that hold sensitive information, such as financial details, passwords, email addresses, or names which they can use to commit further crimes such as credit card fraud.

Why Are Property Industry Professionals a Target for Cyber Attacks?

Handling Sensitive Data

Solicitors and estate agents hold vast amounts of sensitive data, such as property ownership details, financial information, personal addresses and contact information, and live transaction correspondence. This makes them a prime target for cybercriminals looking to steal sensitive information for financial gain.

Some stolen data is sold on online marketplaces where other criminals can use it to log into bank accounts and online shopping accounts for instance. One of the world’s biggest criminal marketplaces “Genesis Market”, which sold stolen personal data for less than $1 to fraudsters, was recently shut down by police.

Phishing Scams

“Phishing” is where a criminal poses as someone from a reputable company to trick recipients into giving sensitive information such as passwords or financial details or downloading malicious software. Since conveyancers, estate agents and mortgage brokers communicate frequently via email with each other and their clients, they are particularly vulnerable to being targeted and becoming victims of phishing scams.

Push Payment Fraud

Conveyancing transactions are often targets for authorised push payment scams, where victims are tricked into authorising the transfer of money from their bank account to the fraudsters in the belief that they are paying funds to their solicitor or estate agent. This begins with the criminal gaining access to an email account (often through a phishing attack) and identifying correspondence relating to a live property transaction. They will monitor the genuine communications between parties, waiting for an appropriate time to insert themselves into the conversation posing as one of the parties and asking for funds to be transferred to an account of their own.

Third-Party Service Platforms

Using third-party service providers can increase the risk of exposure to cyber-attacks, so it is important for property professionals to be careful about which platforms they choose and to complete sufficient due diligence checks to ensure third parties are reliable and safe to use. For instance, many solicitors and estate agents will use services such as DocuSign, which allows people to electronically sign documents. In 2017, DocuSign became a victim of malware phishing attacks that targeted the email addresses of more than 100 million of its customers.

Steps to Take if a Cyber Attack Happens

The Information Commissioner’s Office (ICO) is the UK’s data protection and privacy regulator. They have provided detailed guidelines on how businesses should respond to a cyber-attack to ensure that all personal data is protected and to help improve their security measures.

Step 1: Identify the Attack

The first step in responding to a cyber-attack is to identify the type of attack whether it is a phishing scam, ransomware or malware attack. Find out how the scammer has breached the system, perhaps it was through a staff member clicking on a malicious link and identify what information has been accessed if any.

Step 2: Contain the Attack

Containing the attack involves isolating any affected systems, removing infected devices from the network, disabling remote access, installing security updates, changing passwords, and maintaining the firewall. These methods will help stop the attack from spreading and hopefully prevent further damage.

Step 3: Assess the Damage

After containing the attack, it is important to risk assess the damage caused by the attack. This could include identifying any data loss, determining the extent of the damage to systems and infrastructure, and weighing the potential impact of the attack on the business and its clients. If the attacker has accessed bank information, this would be deemed as high risk as this could result in financial loss.

Step 4: Report

If there has been a data breach in which personal information has been accessed, the ICO must be notified. The ICO considers a personal data breach to be “the accidental or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” Personal data breaches must be reported to the ICO within 72 hours. When a personal data breach has occurred, Article 33(5) of the General Data Protection Regulation (GDPR) requires the facts of the breach, its effects, and the remedial action taken to be documented.

The next step will be to notify any affected people about the breach and inform them of how they may be affected and what they can do. For instance, if the scammer has stolen email addresses, you could advise people to change their passwords or be wary of any suspicious emails that could be phishing scams.

How to Prevent Future Cyber Attacks

The ICO recommends that businesses such as solicitors and estate agents have plans in place to deal with cyber-attacks such as having a designated person or team responsible for managing the response and regularly backing up data. The National Cyber Security Centre (NCSC) also recommends that organisations update their software and provide regular training to staff on identifying and avoiding potential cyber threats and phishing scams. It is important that staff are aware of signs that an email may be malicious and to double check when receiving emails requesting sensitive information and to verify that they are legitimate.  

BWH Solicitors is the leading residential property law firm in Leicestershire and is ranked in the top ten real estate firms in the East Midlands by the Legal 500 guide. We pride ourselves on giving our clients a seamless and efficient end-to-end conveyancing service and adhere to high-quality industry standards. We work with many estate agents and financial advisors as their preferred conveyancing partner. Due to our proactive approach to progressing our clients’ property transactions, we are constantly being referred time and time again. 

Whether you are a property professional, seller, or buyer, we can help with your residential conveyancing queries. To request a personal conveyancing quotation, or to discuss setting up a professional referral relationship with your business, please call us on +44 (0)116 289 7000 or send us an email at

Published by

Categorised in: ,