Conveyancing Fraud: How Estate Agents Can Protect Their Clients

Last year, homebuyers lost GBP 11.7 million to conveyancing fraud. Estate agents are in the middle of it.

Between April 2024 and March 2025, Action Fraud recorded 143 cases of conveyancing fraud in the UK. The average residential victim lost GBP 78,393. That is not a statistic. That is someone’s house deposit, gone in a single bank transfer.

The fraud is simple. Criminals intercept emails between buyers, solicitors, and estate agents. They wait until completion day, then send convincing instructions with fraudulent bank details. The buyer transfers their deposit to a criminal’s account. By the time anyone notices, the money has been moved offshore.

If your agency handles property transactions and client communications by email, your systems are part of the risk. Talk to us about securing your email before it costs your clients everything.

How “Friday afternoon fraud” works

It is called Friday afternoon fraud because most completions happen on Fridays. Buyers are stressed, solicitors are busy, and everyone is rushing to exchange before the weekend.

The attack follows a pattern:

1. Email compromise: Criminals gain access to an email account belonging to the buyer, the solicitor, or the estate agent. Sometimes through phishing, sometimes through stolen credentials, sometimes through weak passwords on shared logins.
2. Surveillance: They sit in the mailbox for weeks or months, reading every message, learning the transaction timeline, the names involved, and the expected payment amounts.
3. Interception: Just before completion, they send an email from the compromised account (or a near-identical spoofed address) with new bank details. The email matches the tone, formatting, and signature of previous legitimate messages.
4. Transfer: The buyer sends their deposit to the fraudulent account. The money is drained within hours.

The NCA reports that victims lose an average of GBP 82,000 per case. Lloyds Bank found that 45% of victims are aged 39 or under, many of them first-time buyers transferring their life savings.

Why estate agents are exposed

Estate agents sit at the centre of property transactions. You hold buyer and seller contact details, transaction timelines, solicitor information, and property values. That makes your systems a target.

The Negotiator reported that estate agencies are prime targets for cyber criminals because of shared credentials across property portals and CRM systems, password spreadsheets instead of secure storage, limited cybersecurity training for staff, and high volumes of sensitive client data.

A single compromised email account in your agency gives criminals everything they need to impersonate a solicitor and redirect a deposit.

The regulatory pressure is real

Estate agents are already the most fined sector for anti-money laundering (AML) breaches. HMRC issued 320 AML penalties to estate agencies in 2024/25 alone, a 204% increase over four years. Fines totalled GBP 835,842 in just six months (April to September 2025).

Over 90% of those penalties were for trading while unregistered for AML supervision. But the direction of travel is clear: regulators expect estate agents to have proper controls in place, and enforcement is accelerating.

From May 2025, all letting and estate agents must also carry out financial sanctions checks on every client. The compliance burden is growing, and IT security is increasingly part of it.

Five things estate agents can do now

You do not need to become a cybersecurity expert. But you do need basic controls that stop the most common attacks.

1. Enable MFA on every email account. If a criminal steals a password, MFA stops them getting in. This is the single most effective control against email compromise. Only 40% of UK businesses have this switched on (DSIT 2025).
2. Set up DMARC, SPF, and DKIM on your email domain. These protocols prevent criminals from sending emails that appear to come from your domain. The SRA reports that 68% of all cyber incidents reported to them are email modification frauds.
3. Eliminate shared logins. Every staff member should have their own credentials for email, property portals, CRM systems, and referencing platforms. Shared passwords mean that when one account is compromised, everything is compromised.
4. Warn clients explicitly. Tell every buyer at the start of the transaction: “We will never change bank details by email. If you receive an email asking you to send money to a different account, call us immediately on a number you already have.”
5. Run a credential exposure check. Find out whether your team’s email addresses and passwords are already circulating in breach databases. If they are, change them before someone uses them.

Protect your clients, protect your reputation

When a buyer loses their deposit to conveyancing fraud, they do not just blame the criminal. They blame everyone involved in the transaction. The solicitor, the bank, and the estate agent who introduced them.

A single incident can destroy the trust you have built with your local market. And with the City of London Police warning of a “surge” in payment diversion fraud, the risk is not theoretical.

43% of UK businesses reported a cyber attack last year (DSIT 2025). 85% of those attacks started with a phishing email. The controls that stop conveyancing fraud are the same ones that protect your business from every other common attack.