Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Business support
  4. Technology
  5. Cybersecurity guide
  6. Hot topics
  7. Invoice hijacking

Invoice hijacking

What is invoice hijacking?

Invoice hijacking is the term given to the interception of legitimate invoices and other funds transfer requests, and their replacement with an identical one, except that it includes the bank details of a fraudster, rather than your client account.

Why does this risk matter?

This fraud has increased significantly over the last 18 months or so, and several million pounds has been stolen from solicitors' clients in this period.

While there may not be a valid Professional Indemnity claim in the end, there is the possibility of one - particularly if your own email system is established as the one that was breached.  In the majority of cases, even where the solicitor does not believe themselves to be at fault, they still have experienced a significant deterioration in client-relations, and often a battle to receive payment legitimately due.

Most importantly, there are some things that you can do to reduce the risks - for you and for your client.

Things to avoid

DO NOT

  • include your firm's bank details in the body of an email
  • send invoices or other documents containing bank details as MS Word documents

Recommendations

FOR BEST SECURITY

  • use a secure client portal/data-room for clients to access relevant documents including invoices
  • use secure, password protected online payment
  • Do not include your bank details in invoices.  Instead include them in your Engagement Letter (sent by registered post)
  • Request clients to set up your account details via their online/telephone banking at the start of the transaction - and use these unless expressly changed
  • If likely to be transferring large sums, suggest an initial test payment of £5/£10 (less may trigger the bank blocking the transaction as a potential scam!)
  • make it very clear to clients what your procedures for changing bank details are.  And advise clients to always check such instructions by telephoning your office before instructing a payment
  • If using email to send invoices etc, use email encryption

FOR MEDIUM SECURITY

Recognising that these best practices may not be practical for all solicitors firms to implement in all cases, the following are medium-level security options which may be sufficient for low value transactions

  • Only send hard copy invoices
  • Include bank details within a PDF attachment to an email
  • Password protect pdfs
  • alternatively using a zip-file to attach an invoice provides a modicum of encryption
  • Activating read receipt tracking on your email
  • Ask clients to pay via your website (although this involves the risk of your website being scammed and a client visiting a fake site).

This article was provided by:

 

Add To Favorites

Additional

  • Hot topics

In this section

  • Why human error is still your top cybersecurity risk
  • Six cyber security resolutions for your firm
  • Cyber security in a year of crisis
  • Ransomware – the alarming trend in 2020
  • Cyber attacks and home working
  • The real cost of a cyber incident
  • Email account takeover
  • Invoice hijacking
  • Out of office risks
  • Why cyber insurance isn’t a substitute for cyber risk management
  • The battle against cybercrime – new government proposals
  • New Government Cyber Governance Code of Practice – it’s a question of leadership

Mitigo

Our cyber security partner

Find out more about Mitigo
Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited