For Partners at UK Law Firms

One spoofed email.
£380,000 in completion
funds diverted.
The firm never recovered.

Payment Diversion Fraud does not begin with a sophisticated attack. It begins with an email that looks exactly like one from your client's solicitor — because it comes from a domain that differs from theirs by one character. Your accounts team acts in good faith. The funds are gone before anyone looks closely.

GetBulwark gives UK law firms the regulatory compliance posture and Payment Diversion Protection that prevents it — and the documented evidence that protects your practising certificates and PI cover if it is ever investigated.

Book a Free Security Audit See How It Works
Accounts Inbox — Received Domain spoofed
With Bulwark: DMARC enforced at reject policy. Spoofed emails blocked before delivery. Payment Diversion Protection by design.
£382k
Average value of funds diverted in
a UK legal sector payment fraud event
1 char
The difference between a legitimate
domain and a spoofed one. Undetectable without DMARC.
£85
Per user per month for complete
regulatory compliance posture
20 pts
Checks in the free audit — every control
your regulator and PI insurer expect you to have
The Attack Anatomy

Payment Diversion Fraud does not require
a sophisticated attacker. Just an unsecured inbox.

The attack is simple. The damage is not. Understanding exactly how it works is the starting point for understanding why the technical controls GetBulwark enforces are not optional extras — they are the standard of care your regulator expects you to meet.

Stage 01 — Reconnaissance

They read your email for weeks first.

In most payment diversion cases, the attacker has access to one or more inboxes — yours or the counterpart firm's — before the fraud takes place. They read transaction emails, learn the names, the properties, the expected completion dates. The spoofed email they eventually send is credible because it knows the details.

Access is obtained through phishing, credential stuffing, or — in firms without MFA — a brute-force attack on a common password. The attacker then sits quietly in the background. Reading. Waiting.

Without MFA, a compromised password is full inbox access. A GDPR breach and read access to every client matter — simultaneously.
Stage 02 — Impersonation

One character. That is all the difference there is.

The spoofed email arrives from a domain that differs from the legitimate one by a single character — a numeral instead of a letter, a hyphen inserted, a transposed pair. At email client font sizes, it is functionally invisible to the human eye.

Without DMARC enforcement on your own domain, the same attack works in reverse: your firm's email address can be spoofed to send fraudulent instructions to your clients' solicitors, instructing them to redirect funds to a criminal account.

Your domain should be technically verified as yours. DMARC at reject policy is that verification — and the control your PI insurer asks about at renewal.
Stage 03 — The Transfer

Your accounts team acts in good faith. The funds leave.

A CHAPS transfer for completion funds is time-critical, high-value, and expected. The accounts team processes it under time pressure. Legal regulators across the UK acknowledge that payment diversion fraud is specifically designed to exploit this environment. The transfer is processed. The funds are gone.

CHAPS transfers are irrecoverable. Your firm's professional indemnity cover responds — or it tries to. Depending on what controls were in place, the insurer may have grounds to contest coverage.

Documented controls are what keep your PI insurer on side when this happens — and what close a regulatory investigation faster.
The Consequence Sequence

What happens to the firm
after a payment diversion event.

This is not a projection. This is the documented sequence that has followed every significant payment diversion case in the UK legal sector. It is blunt because the reality is blunt.

Day 1 — Friday afternoon

The client calls. The funds are missing.

The buyer believes the sale has completed. Their £382,500 is in a criminal account in a different jurisdiction. The transaction has not legally completed. They are technically homeless.

Day 2-3 — Weekend

Police and bank fraud teams notified. Recovery unlikely.

Action Fraud receive the report. The bank's fraud team investigates. In the vast majority of cases, the funds have already been moved through multiple accounts and are irrecoverable. Your PI insurer is notified.

Week 2

Regulatory investigation opened.

A complaint is received. Your regulator — the SRA in England and Wales, the Law Society of Scotland, or the Law Society of Northern Ireland — opens a professional conduct investigation. The first question they ask is identical to the one the ICO asks: what technical controls were in place? Your answer determines whether this is a conduct matter or a competency matter.

Month 2-3

Professional Indemnity renewal. Your premium is now a question mark.

Insurers now ask explicit questions about MFA, email authentication, and endpoint security during PI renewal. A firm that has suffered a payment diversion event without documented controls in place faces either significantly increased premiums or coverage refusal. A firm that cannot obtain PI cover cannot practise.

Month 6-12

Civil claims. Personal liability reviewed.

The client sues. The claim goes to the Solicitors Guarantee Fund if the PI insurer refuses to indemnify. Partners face personal regulatory action if the investigation finds a systemic failure of supervision. The narrative in the legal press has already run. The firm's reputation in the market is gone.

With Bulwark — Same week, different outcome

DMARC blocks the spoofed email. Nobody sees it.

The spoofed email from the attacker's domain is rejected at the mail server — it never reaches your accounts team's inbox. The DMARC reject policy Bulwark enforces means the fraud chain cannot complete. The completion proceeds on the legitimate bank details. The client moves in on Friday.

Regulatory Compliance Audit 4 deficiencies
!
Multi-factor authentication — all accounts Not enforced. Optional for staff. Two accounts without any MFA.
DMARC email domain protection Not configured. Firm's domain spoofable by external attacker.
Endpoint security — all devices accessing client files Windows Defender only. No managed detection and response. Solicitors' personal laptops unmonitored.
Client file access controls — Workspace permissions Shared Drive permissions reviewed. Broadly appropriate.
!
Backup and data retention — client matters Google Workspace retention only. No independent backup. No tested recovery procedure.
Staff data handling training — annual Training completed. Records held.
Two critical deficiencies would be reportable findings in a practice inspection. DMARC absence and missing MFA together represent a material failure in client fund protection controls.
Same Firm — With Bulwark All controls met
MFA enforced — all accounts, all devices Google Workspace Admin enforcement active. Logged and evidenced.
DMARC p=reject — Payment Diversion Protection active Domain protected. Spoofed emails rejected before delivery.
24/7 endpoint monitoring — all devices 24/7 managed detection. 8-minute average response. Covers solicitors' devices.
Daily backup — tested, documented, recoverable Client matter files backed up independently. Recovery procedure tested and documented.
Monthly compliance reports provide a documented, timestamped evidence trail. When your regulator or PI insurer asks, you hand them the file. The investigation closes faster.
Zero Trust Compliance — In Plain English

Every technical control GetBulwark builds
has a direct compliance counterpart.

Zero Trust means no user, no device, and no transaction is trusted by default — access is verified at every step. For a law firm, it means the technical architecture of your practice matches the standard of care your regulator expects, your PI insurer requires, and your clients assume you already have.

Enforced MFA on Every Account

In law firm terms: no one accesses your client file system, your accounts inbox, or your completion documents without a second verification step. A compromised password is not enough.

Enforced at the Google Workspace Admin Console — not recommended to staff, not optional, not skippable. Every account. Every login. Every access to a client matter. Legal regulators across the UK list MFA as a baseline control. GetBulwark makes it a technical requirement, not a policy aspiration.

→ Regulatory compliance — access control baseline met

DMARC at Reject — Payment Diversion Protection

In law firm terms: no external party can send email that appears to come from your firm's domain. The fraud chain that relies on your domain being spoofed cannot begin.

DMARC, DKIM, and SPF correctly configured and set to reject policy. This is the single most important technical control against Payment Diversion Fraud in the conveyancing context. It means that when an attacker attempts to spoof your domain to instruct your client's solicitors to redirect funds, the email is rejected before it is delivered. The fraud chain is broken at the first link.

→ Payment Diversion Protection — domain verified, spoofing blocked

24/7 Endpoint Monitoring — All Devices

In law firm terms: every device used to access client matters — including solicitors' personal laptops — is monitored for the kind of behaviour that precedes a data exfiltration or account compromise event.

24/7 managed detection and response. Average response time: 8 minutes from anomaly detection to containment. Average undetected attacker dwell time in unprotected environments: 21 days. That is 21 days of access to your client files, your completion emails, and your accounts transactions before anyone knows they are there.

→ Your practice is monitored to the standard of a regulated firm

Monthly Compliance Reports

In law firm terms: a monthly written record of your firm's security posture — the document your senior partner can sign off, your PI broker can see, and your regulator can be handed during a practice inspection.

Every month, Bulwark delivers a structured report covering MFA status, email authentication, device compliance, access permissions, and any risk items. This is the evidence trail that distinguishes an unfortunate incident from a negligent one in any regulatory or insurance investigation. It is what digital good faith looks like on paper.

→ Regulatory compliance — documented, timestamped, audit-ready

Daily Backup — Client Matter Continuity

In law firm terms: if your Workspace is compromised, your client files, your correspondence, and your completed matter records are independently backed up and recoverable. You do not lose the work product of the firm.

Daily automated backup of Google Workspace — emails, Drive, shared matter folders. Independently retained and restorable at the file level. Solicitors accounts rules across all UK jurisdictions require that client matter records are maintained. A ransomware event or a compromised Workspace that destroys records is a regulatory exposure on top of a security one. Bulwark closes that risk.

→ Accounts rules compliance — client records protected and recoverable

Initial Security Audit — Free

In law firm terms: 45 minutes to understand exactly where your firm's security posture stands against your regulator's expectations and your PI insurer's renewal questions — before they ask.

A structured 20-point manual review of your Google Workspace, covering every control relevant to Law Society Compliance and payment fraud prevention. Delivered as a scored PDF within 48 hours. No obligation. No commitment. The audit exists because the conversation about your firm's security posture should happen with you in control of the information — not in response to a complaint.

→ Book the audit before your regulator does it for you
Settlement Security — The Commercial Case

£85 per user per month is not an IT cost.
It is an investment in your PI renewal.

Professional Indemnity insurers now underwrite on the basis of technical security controls, not assumptions. At renewal, they ask whether MFA is enforced, whether email authentication is configured, whether endpoints are monitored. A firm that answers No to these questions is a materially different risk profile from one that answers Yes with evidence. The premium difference is not marginal.

Beyond insurance, Digital Legitimacy is what your clients increasingly assume you have. Corporate clients, regulated businesses, and conveyancing clients with significant assets are beginning to ask questions about their solicitors' security posture that they did not ask three years ago. The firm that can point to a monthly security report has a different answer to that question than the firm that cannot.

A 12-person firm at the standard rate pays £1,020 per month for the complete GetBulwark posture. That is less than the PI excess on a single claim.

Book a Free Security Audit
Without Bulwark
Firm's domain spoofable — Payment Diversion Fraud possible
MFA optional — compromised password = full inbox access
No managed detection — attacker dwell time averages 21 days
No backup — Workspace loss = client matter record loss
PI renewal: can't answer MFA and authentication questions with evidence
Regulatory inspection: no documented compliance file to present
Digital Legitimacy assumed — not demonstrated
With Bulwark
DMARC reject enforced — Payment Diversion Protection by design
MFA enforced — credential theft stopped at first login
24/7 endpoint monitoring — 8-minute avg threat response
Daily backup — client records recoverable, Accounts Rules met
PI renewal: monthly reports answer every underwriter question
Regulatory compliance — audit file exists, current, and signed off
Digital Legitimacy — documented and demonstrable
Free Audit — No Obligation

Find out exactly where your firm stands — before your regulator or PI insurer asks.

A free 45-minute audit of your Google Workspace. Twenty checks across email authentication, access controls, device compliance, and client data protection — every control relevant to regulatory compliance and Payment Diversion Protection. Delivered as a scored PDF within 48 hours.

Book My Free Security Audit See a Sample Report

45 minutes. PDF delivered within 48 hours. No contract, no commitment.