Category Archives: Social Engineering Fraud

Taylor & Lieberman: Ninth Circuit finds No Coverage under Crime Policy for Client Funds lost in Social Engineering Fraud

By David S. Wilson and Chris McKibbin

In the recent decision of Taylor & Lieberman v. Federal Insurance Company, the Ninth Circuit Court of Appeals affirmed a decision of the U.S. District Court for the Central District of California holding that a business management firm did not have coverage in respect of client funds which it was fraudulently induced to wire overseas.

While the District Court had held that the insured had failed to establish that it had sustained any “direct” loss at all (see our July 14, 2015 post), the Ninth Circuit affirmed the result on other grounds, holding that the insured had also failed to establish that the loss came within the substantive requirements of any of the Forgery, Computer Fraud or Funds Transfer Fraud insuring agreements.

The Facts

Taylor & Lieberman (“T&L”) was an accounting firm which also performed business management and account oversight services for various clients, including the client in issue. Clients’ funds were held in separate bank accounts maintained with City National Bank. Clients granted Powers of Attorney over their accounts to a designated individual at T&L, permitting transactions to be made in the accounts.

A fraudster obtained access to the client’s email account and sent two emails from that account to a T&L employee, as follows:

  • The first email directed the employee to wire $94,280 to an account in Malaysia. The employee did so, and then sent a confirming email to the client’s email account.
  • The next day, the employee received another email from the client’s account directing her to wire $98,485 to an account in Singapore. The employee again complied, and again sent a confirming email to the client’s email account.

The employee then received a third email, purportedly from the client, but sent from a different email address. The employee contacted the client by phone, and discovered that all three emails were fraudulent. T&L was able to recover some of the funds, but had to reimburse its client and incurred a net loss of nearly $100,000.

T&L submitted a claim under each of its Forgery Coverage, its Computer Fraud Coverage and its Funds Transfer Fraud Coverage. The District Court held that each of these coverages required “direct loss sustained by an Insured” and that, as a matter of law, no direct loss had been sustained.

On appeal, the Ninth Circuit did not disturb the finding with respect to direct loss, but affirmed the result on the basis that T&L had failed to establish that the loss came within the scope of any of the insuring agreements.

The Forgery Coverage

The Ninth Circuit quickly dismissed T&L’s contention that this insuring agreement’s requirement of a “Forgery or alteration of a financial instrument” did not require proof of a “Forgery” of a financial instrument, because the insuring agreement required only proof of an alteration of a financial instrument or a free-standing “Forgery” of any document, of any type. The Court held that the insuring agreement plainly required either a “Forgery” or an alteration of a financial instrument.

More substantively, the Court rejected T&L’s contention that the emails to T&L were financial instruments:

Here, the emails instructing T&L to wire money were not financial instruments, like checks, drafts, or the like. See Vons Cos., Inc. v. Fed. Ins. Co. … (C.D. Cal. 1998) (holding that wire instructions, invoices, and purchase orders were not “documents of the same type and effect as checks and drafts.”). And even if the emails were considered equivalent to checks or drafts, they were not “made, drawn by, or drawn upon” T&L, the insured. Rather, they simply directed T&L to wire money from T&L’s client’s account. In sum, there is no forgery coverage.

The Computer Fraud Coverage

The Computer Fraud insuring agreement required T&L to demonstrate “an unauthorized (1) “entry into” its computer system, and (2) “introduction of instructions” that “propogate[d] themselves” through its computer system.” The Court held that the sending of an email, without more, did not constitute an unauthorized entry into T&L’s computer system. Further, the emails were not an unauthorized introduction of instructions that propagated themselves through T&L’s computer system:

The emails instructed T&L to effectuate certain wire transfers. However, under a common sense reading of the policy, these are not the type of instructions that the policy was designed to cover, like the introduction of malicious computer code. … Additionally, the instructions did not, as in the case of a virus, propagate themselves throughout T&L’s computer system; rather, they were simply part of the text of three emails.

The Funds Transfer Fraud Coverage

The Funds Transfer Fraud insuring agreement indemnified against:

fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver Money or Securities from any account maintained by an Insured Organization at such Institution, without an Insured Organization’s knowledge or consent.

The Court held that the requirements of the insuring agreement were not met:

This coverage is inapplicable because T&L requested and knew about the wire transfers. After receiving the fraudulent emails, T&L directed its client’s bank to wire the funds. T&L then sent emails confirming the transfers to its client’s email address. Although T&L did not know that the emailed instructions were fraudulent, it did know about the wire transfers.

Moreover, T&L’s receipt of the emails from its client’s account does not trigger coverage because T&L is not a financial institution.

As a result, there was no coverage available under the Federal policy.

Conclusion

Following the Fifth Circuit’s decision in Apache (see our October 24, 2016 post), the Ninth Circuit’s decision in Taylor & Lieberman provides another example of a clear trend on the part of the courts to refuse to find coverage for social engineering fraud losses under the “traditional” crime policy coverages (typically, computer fraud and funds transfer fraud coverages, but occasionally, as here, other coverages as well). The proliferation of social engineering frauds has created a new exposure for insureds, and fidelity insurers have responded by creating discrete social engineering fraud coverages. Like Apache, Taylor & Lieberman serves as a cautionary tale to businesses (and to their brokers) of how a business may be exposed to an uninsured loss in the event that it does not maintain such coverage.

Taylor & Lieberman v. Federal Insurance Company, 2017 WL 929211 (9th Cir.)

Leave a comment

Filed under Computer Fraud, Direct Loss, Forgery, Funds Transfer Fraud, Social Engineering Fraud

Apache Corporation: Fifth Circuit holds that Commercial Crime Policy’s Computer Fraud Coverage does not extend to Social Engineering Fraud Loss

By David S. Wilson and Chris McKibbin

On October 18, 2016, the U.S. Court of Appeals for the Fifth Circuit released its opinion in Apache Corporation v. Great American Insurance Company.  This is one of the first appellate decisions to consider coverage for a social engineering fraud loss under “traditional” commercial crime policy wording since the widespread introduction of social engineering fraud endorsements.  In holding that the loss did not trigger indemnity under the Computer Fraud coverage, the Fifth Circuit adopted the interpretive approach to Computer Fraud coverage taken by the Ninth Circuit in Pestmaster Services v. Travelers (which we discussed in our August 4, 2016 post) and applied it in the context of social engineering fraud.

The Facts

Apache is an oil production company which is headquartered in Texas and which operates internationally.  In March 2013, an Apache employee in Scotland received a call from a person claiming to be a representative of Petrofac, a legitimate vendor of Apache.  The caller instructed the employee to change the bank account information which Apache had on record for Petrofac.  The Apache employee advised that such a change request would not be processed without a formal request on Petrofac letterhead.

A week later, Apache’s accounts payable department received an email from a @petrofacltd.com email address.  Petrofac’s legitimate email domain name is @petrofac.com.  The email advised that Petrofac’s bank account details had changed, and included as an attachment a signed letter on Petrofac letterhead setting out the old and new account numbers and requesting that Apache “use the new account with immediate effect.”

An Apache employee called the telephone number on the letterhead and confirmed the authenticity of the change request.  Next, a different Apache employee approved and implemented the change.  A week later, Apache was transferring funds for payment of Petrofac’s invoices to the new bank account.

Within a month, Petrofac advised Apache that it had not received payment of approximately $7 million which Apache had transferred to the new account.  Apache recovered some of the funds, but still incurred a net loss of approximately $2.4 million.

The Computer Fraud Coverage

Apache maintained a Crime Protection Policy with Great American, but it does not appear that the policy included social engineering fraud coverage.  Apache asserted a claim under its Computer Fraud coverage, which provided that:

We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:

 a) to a person (other than a messenger) outside those premises; or

 b) to a place outside those premises.

In Great American’s view, no indemnity was available because the @petrofacltd.com email did not cause the transfers in issue, and because the coverage was limited to losses resulting from hacking and other incidents of unauthorized computer use.

The Fifth Circuit accepted Great American’s position.  Noting that there was no Texas law directly on point, the Court embarked on what it described as a “detailed — but numbing — analysis” of the authorities interpreting the Computer Fraud coverage.  Chief among these was the Ninth Circuit’s recent decision in Pestmaster, in which that Court interpreted the coverage to require an unauthorized transfer of funds, rather than simply any transfer which involved both a computer and a fraud at some point.

The Fifth Circuit contrasted that requirement with the lengthy chain of events that had resulted in Apache’s loss:

Here, the “computer use” was an email with instructions to change a vendor’s payment information and make “all future payments” to it; the email, with the letter on Petrofac letterhead as an attachment, followed the initial telephone call from the criminals and was sent in response to Apache’s directive to send the request on the vendor’s letterhead.  Once the email was received, an Apache employee called the telephone number provided on the fraudulent letterhead in the attachment to the email, instead of, for example, calling an independently-provided telephone contact for the vendor, such as the pre-existing contact information Apache would have used in past communications.  Doubtless, had the confirmation call been properly directed, or had Apache performed a more thorough investigation, it would never have changed the vendor-payment account information.  Moreover, Apache changed the account information, and the transfers of money to the fraudulent account were initiated by Apache to pay legitimate invoices. 

The Court observed that the authorities generally refuse to extend the scope of the Computer Fraud coverage to situations where the fraudulent transfer is not a direct result of computer use, but rather results from other events.

In concluding that no indemnity was available under the Computer Fraud coverage, the Court held that:

The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money.  To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would, as stated in Pestmaster…, convert the computer-fraud provision to one for general fraud.  …  We take judicial notice that, when the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between “computer” and “telephone” was already blurred.  In short, few — if any — fraudulent schemes would not involve some form of computer-facilitated communication.  [emphasis added]

Conclusion

The Fifth Circuit’s decision in Apache is broadly significant to the fidelity insurance industry not only because, like Pestmaster, it reaffirms the intended scope of the Computer Fraud coverage, but also because it reinforces the purpose behind insurers’ introduction of discrete social engineering fraud coverage in the last few years, i.e., the lack of coverage for social engineering frauds under traditional computer and funds transfer coverages.

The proliferation of social engineering fraud has undoubtedly exposed insureds to greater risk.  However, insurers have responded by underwriting discrete social engineering fraud coverages.  There is no need for courts to depart from the traditional interpretation of computer fraud and funds transfer fraud coverages in order to address this perceived problem, because a solution is already available.

As a practical matter, Apache confirms that insureds need Social Engineering Fraud coverage for these types of  losses.  The decision provides greater certainty on the part of insureds, insurers and brokers as to the intended scope of each coverage, and makes it easier for all industry participants to ensure that insureds obtain the coverages they require for the types of potential losses that they face.

Apache Corporation v. Great American Insurance Company, 2016 WL 6090901 (5th Cir.)

Leave a comment

Filed under Computer Fraud, Social Engineering Fraud

Aqua Star: U.S. District Court applies “Authorized Entry” Exclusion to claim under Computer Fraud Coverage

By David S. Wilson and Chris McKibbin

On July 8, 2016, the U.S. District Court for the Western District of Washington released its decision in Aqua Star (USA) Corp. v. Travelers Casualty and Surety Company of America.  The decision offers guidance to fidelity insurers with respect to the application of the “authorized entry” exclusion found in the base wording of many commercial crime policies (sometimes referred to as the “authorized access” exclusion), and illustrates how this exclusion may operate in the context of a social engineering fraud loss.

The Facts

The insured, Aqua Star (USA) Corp. (“Aqua Star”), is a seafood importer that had a pre-existing relationship with a legitimate vendor, Zhanjiang Longwei Aquatic Products Industry Co. Ltd. (“Longwei”).  In the summer of 2013, Longwei’s computer system was hacked.  The hacker apparently monitored email exchanges between an Aqua Star employee and a Longwei employee before intercepting those email exchanges and using “spoof” email domains to send fraudulent emails to the Aqua Star employee.  In the spoofed emails, the hacker directed the Aqua Star employee to change the bank account information Aqua Star had on record for Longwei for future wire transfer payments.

The Aqua Star employee inserted the revised banking information into Aqua Star’s computer system.  This revised information was then used to create Wire Confirmation Detail instructions that were transmitted to Aqua Star’s bank, the Bank of America.  As a result, $713,890 was wired to the hacker’s account before the fraud came to light.

The Travelers Coverage

Aqua Star maintained a Wrap+ Crime Policy with Travelers.  The policy covered Aqua Star for its “direct loss of, or direct loss from damage to, Money, Securities, and Other Property directly caused by Computer Fraud”, as defined.  Travelers relied on Exclusion G to the policy, which provided that the policy:

will not apply to loss resulting directly or indirectly from the input of Electronic Data by a natural person having the authority to enter the Insured’s Computer System. 

As a general observation, this type of exclusion is intended to encompass (among other things) social engineering fraud losses.  At present, social engineering fraud coverage is typically added to commercial crime policies by endorsement, with the endorsement providing that the exclusion in the base wording does not apply in respect of coverage afforded by the endorsement.  The intent is to reinforce that only social engineering fraud coverage, and not the “traditional” computer or funds transfer fraud coverages, responds to social engineering fraud losses.

It is not clear from the Court’s decision whether Aqua Star also maintained social engineering fraud coverage.

The Decision

On the parties’ cross-motions for summary judgment, the Court confined itself to the question of whether Exclusion G applied to the loss, and did not opine on whether the loss fell prima facie within coverage.  The Court held that, on its face, Exclusion G clearly applied to the facts.  The “revised” banking details were information, which fell within the meaning of “Electronic Data”.  The employee in question was a natural person and had the authority to enter banking details into Aqua Star’s computer system.  As a result, the exclusion applied.

Aqua Star advanced two substantive arguments in an effort to avoid the application of the exclusion.  First, Aqua Star asserted that the exclusion did not apply because, in order to initiate the wire transfers, an Aqua Star employee had to enter data into the computer system of a third party (i.e., its bank, the Bank of America).  The Court rejected this contention, observing that:

Although entering data into a third party’s computer system may have been the final step that led to Aqua Star’s loss, necessary intermediate steps prior to the transfer involved entering Electronic Data into Aqua Star’s own Computer System. Aqua Star does not explain why the involvement of a third party computer system would render Exclusion G inapplicable.

Second, Aqua Star contended that Exclusion G was actually intended to preclude coverage where a fraud is perpetrated by an authorized user of an insured’s computer system, such as an employee or legitimate customer.  The Court did not accept this argument either, but did note that:

the clear language of the policy does not limit the exclusion to fraud perpetrated by an authorized user, although … it certainly could apply in that situation [as well]. 

As a result, Exclusion G applied to the loss.

Conclusion

In providing a detailed analysis of Exclusion G to the Travelers Wrap+ policy, Aqua Star reflects the intended boundary between social engineering fraud coverage and “traditional” computer fraud and funds transfer fraud coverages.  Courts have generally interpreted the computer fraud coverage as being intended to cover loss due to unauthorized hacking by third parties (see, for example, Pestmaster, which we discussed in our January 6, 2015 post), not employees’ authorized entries of data that are induced by external fraud.

To address this perceived gap, many insurers have introduced social engineering fraud endorsements to respond to the latter scenario.  The “authorized entry” exclusion reinforces insurers’ intent that the two coverages respond to different loss scenarios.  In our view, it is appropriate to keep this context in mind in assessing both the applicability of “authorized entry” exclusions and the dividing line between social engineering fraud coverage and other coverages.

Aqua Star (USA) Corp. v. Travelers Casualty and Surety Company of America, 2016 WL 3655265 (W.D. Wash.)

Leave a comment

Filed under Authorized Access/Entry Exclusion, Computer Fraud, Social Engineering Fraud