The complaint

Miss C instructed the firm in relation to a house purchase. Miss C emailed the firm asking for their bank details to transfer the house deposit. In response, the firm attached a draft completion statement which contained their bank details.  

Miss C then received a second email, which appeared to come from the firm but had in fact been sent from hackers. This email asked her to transfer the deposit to a different account, which she did. 

The outcome

In this case it was Miss C who was hacked which meant we did not have to consider the strength of the law firm’s security systems. However, we looked at what steps they had taken to warn Miss C about the risks of cybercrime to determine whether their service was reasonable.  

The evidence showed that the law firm had: 

• Included their bank details in their client care letter, which Miss C signed;  
• Provided warnings stating that the bank details would not change and that Miss C should contact the firm immediately if she received an email asking for money to be sent to a different account. This warning was in the footer of all their emails in red font and in the draft completion statement underneath their bank details. 

As the firm provided Miss C with sufficient warnings about the risks of cybercrime, and even did so at the time when she was due to transfer the deposit to them, we concluded their service had been reasonable.