Court Finds No Cyber Coverage for Victim of Email Scam
How Can A Firm Protect Against This Risk?
Loss Was Not “Directly Caused” By Use Of Computer Where the Insured Authorized and Initiated a Wire Transfer to Scammer’s Bank Account After Receiving Fraudulent Email.
Even if you have coverage for computer fraud, your policy may not cover every loss caused by a computer-related scam. For example, a court recently ruled that a business email compromise scam, in which an email purporting to be from a vendor of the insured induces the insured to wire funds to the scammer’s bank account, is not a loss “directly caused” by the use of a computer and therefore is not covered computer fraud.
In American Tooling Center, Inc. v. Travelers Casualty and Surety Co., 2017 WL 3263356 (E.D. Mich., August 1, 2017), the insured, ATC, emailed a vendor requesting copies of all outstanding invoices. The responsive email purportedly was sent by vendor, but in fact was from a scammer. That fraudulent email instructed the insured to wire payment for several legitimate outstanding invoices to a new bank account controlled by the scammer.
ATC’s policy covered “direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.” In order to be covered, the loss was required to be directly caused by the use of a computer. Here, the court held, the loss was not directly caused by the fraudulent emails, since there were intervening events, including ATC’s verification of production milestones and its authorization and initiation of the wire transfers.
The decision cites several cases holding that an email containing fraudulent wire instructions does not directly cause the transfer of funds. See Apache Corp. v. Great American Ins. Co., 662 Fed. Appx. 252 (5th Cir. 2016); Pestmaster Servs., Inc. v. Travelers Casualty & Surety Co., 656 Fed. Appx. 332 (9th Cir. 2016); see also Incomm Holdings, Inc. v. Great American Ins. Co., 2017 WL 1021749 (N.D. Ga. 2017).
The court distinguished another recent decision, Medidata Solutions, Inc. v. Federal Ins. Co., Case No. 15-DV-907 (S.D. N.Y. July 21 2017), on the grounds that the policy in Medidata did not include the language requiring the “direct loss” to be “directly caused by Computer Fraud.” The policy in Medidata instead required a “direct loss . . . resulting from Computer Fraud,” and defined “Computer Fraud” to include “entry of” or “change to” data. The court held that the scammer embedded a computer code that caused the fraudulent email to display Medidata’s president’s email address in the “from” field, and therefore violated the integrity of Medidata’s computer system. Medidata at 10.
What can be done, then, to protect against a business email compromise scam? Careful screening of incoming email may help, but is unlikely to eliminate the risk. The scammer in American Tooling “made the email appear to be from [the vendor] YiFeng by using the “yifeng-rnould”domain, which is easily confused for the correct domain: yifeng-mould.com.” In addition, bank account information from payees should be verified, a step that ATC failed to take. However, the scam often involves an oversea vendor and bank; the information may be difficult and time-consuming to verify, and the transaction will likely be presented as time-sensitive. Since preventive measures may be inadequate, firms may want to look into the social engineering fraud endorsements offered by some insurers that will cover vendor or supplier impersonation. More generally, as illustrated by the difference in policy language between American Tooling and Medidata, policy forms in this area are not standardized, and it is important to examine the specific language of your policy in light of your potential exposure.
Posted In: Cyber Liability