The 4pm Friday attack

Imagine this scenario; it’s soon clocking off time for the weekend, you’ve just sent funds to complete the purchase of your new business premises upon your solicitor’s last-minute, urgent email. You call to confirm the deposit has been made only to discover the request didn’t come from them and you’ve transferred thousands of pounds to a cybercriminal.



This is a very real cyber nightmare that Welsh businesses from Abergavenny to Milford Haven, Builth Wells to Machynlleth, Conwy to everywhere else in between are unfortunately experiencing. Would you know what actions to take and who to call if you found yourself in this situation?


Conveyancing scams are big business for online hackers, as huge sums of money are being passed from law firms to clients and typically on a Friday. This sector is uniquely vulnerable, with estate agents, lenders, mortgage advisers and solicitors at risk due to the significant amount of crucial, sensitive data they hold and share between each other.


A breach can happen when a computer system is hacked due to a weak password, keylogging (when keystrokes are secretly recorded) or through phishing. The intruder can then mimic email conversations and pretend to be someone else – in this case a solicitor requesting transfer of completion funds into a fraudulent bank account.


Business email compromise (BEC) is another scam where employees receive a legitimate looking email from someone high up in the company such as the CEO or CFO, with a sense of urgency asking for money to be sent.


Online intruders love to strike on a Friday afternoon and in the lead up to a public holiday because it’s highly likely that business defences are down, and employees are tired and not as alert to potential threats – their methods are to prey on human weaknesses.


How to protect your business


If you’re suspicious of an email requesting money, in the first instance call your contact to double check they did send it and then confirm the bank details are correct. Email scams and other cybercrimes can be reported to Action Fraud.


You don’t need to be dealing with a property purchase or be turning over large sums to be a cybercrime target, in fact micro-businesses and SMEs are increasingly vulnerable often due to the misconception that ‘it won’t happen to me’. Your business’ digital door may be closed but how sure are you that it’s properly locked in a digital sense?


It doesn’t take much for hackers to gain unauthorised access if vulnerabilities aren’t appropriately identified and fixed. You could end up being repeat business for online criminals.


A report by telecomms powerhouse Vodafone states more than 1.3 million small and medium-sized businesses across the UK could go under given the cost of an average cyberattack, which government data says is almost £8,500 – a hefty amount many would agree.


Quick and easy wins to implement now:


  • Enable two-factor authentication (2FA) on email accounts and software apps (a code is sent via text to your phone or generated by an authenticator app to verify that you are the rightful user of the account).


  • Data backup - save any data that can’t be replaced if lost, damaged or stolen (financial records, emails, customer databases, documents, and supplier contracts) by saving them to an external hard drive or to a cloud-based system.


Longer-term measures to safeguard your business include:


  • A response and recovery plan - we can’t stress enough how important having a good continuity plan is for Welsh SMEs. The National Cyber Security Centre has provided simple, five-step guidance to lessen the impact of an attack.


  • Staff training – the WCRC can help with affordable, tailored and easy-to-follow security awareness training which will give your workforce the confidence to challenge anything cyber-related that doesn’t seem right.


  • Cyber Essentials – the government-backed scheme helps businesses become more resilient against attacks. Cyber Essentials includes £25k insurance for SMEs and a support helpline should you be in the early stages of a threat. The WCRC’s trusted partners work with local business like yours which want to achieve the qualification.


We’re here to help Welsh SMEs with business resilience and having cyber security in place isn’t a complicated or costly process with the WCRC. Please get in touch to let us know how we can support your business today.




The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for Wales is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for Wales provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for Wales does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for Wales is not responsible for the content of external internet sites that link to this site or which are linked from it.