SOCIAL ENGINEERING FRAUD: IS COVERAGE AVAILABLE UNDER COMMERCIAL CRIME POLICIES?
By Dominic T. Clarke and Chris McKibbin, Partners at Blaney McMurtry
Insurance for loss resulting from the use of technology to commit fraud has existed for decades. Since the 1980s, commercial crime policies have included various forms of computer fraud and funds transfer fraud coverage. Similar coverage has been available as part of financial institution bonds since the 1990s.
New forms of fraud have emerged in recent years which do not fit neatly into the existing coverages. Social engineering fraud is the most significant of these new frauds. It occurs when an employee of a business is duped by a fraudster into voluntarily parting with the assets of the business. Some examples include:
1. Phony Client Scams: The victims or targets of these scams are financial institutions or other entities that handle client funds. The target's employee is induced by email, phone or fax to wire client funds to a "new" account. Verification procedures are either absent or not followed, and the funds are typically unrecoverable. The target must reimburse its client for the lost funds, and then looks to its crime insurer for indemnity.
2. Vendor Impersonation Scams: The fraudster purports to be a legitimate vendor of the target, and contacts the target's employee to request that the vendor's banking information be changed. The victim wires funds to the "new" account. By the time that the legitimate vendor follows up with the victim on its outstanding receivables, the funds are gone.
3. Executive Impersonation Scams: The fraudster, posing as the target's "CEO" or other high-ranking executive, contacts its finance department using a spoof email or similar-domain email, under the pretext of needing an emergency payment relating to a "top secret" acquisition, merger or other situation. The fraudster directs the finance department employee to wire funds to a "special" account. The lost funds are typically unrecoverable, and the victim turns to its crime insurer for indemnity.
4. Law Firm Collection Scams: The fraudster poses as a foreign "client" in a debt collection matter. The "debtor" is in collusion with the "client". As soon as the lawyer demands payment, the "debtor" promptly issues a (counterfeit) cheque payable to the lawyer's trust account. The lawyer is instructed to wire the funds (less his or her fee) to the "client" – invariably, on an urgent basis. Once the debtor's cheque is returned as counterfeit, the lawyer's trust account is in deficit. Although most lawyers' E&O policies provide some coverage for this, the targeted lawyer often also looks to his or her crime insurer for indemnity.
Traditional crime insurance policies are not intended to cover social engineering fraud:
- Computer Fraud insuring agreements typically only indemnify for unauthorized entries (or "hacks") into an insured's computer system. Social engineering incidents typically involve payments initiated by the insured's employee, albeit on the basis of an inaccurate understanding of the facts.
- Funds Transfer Fraud insuring agreements are intended to cover fraudulent transfers caused by a third party directing an insured's financial institution to transfer the insured's funds without the insured's knowledge or consent. Social engineering incidents typically involve payment instructions authorized and voluntarily initiated by the insured's employee and, as such, they usually do not meet the requirements of the insuring agreement.
- Crime policies may also contain exclusions for losses resulting from an insured's voluntarily parting with money, or for losses resulting from authorized entries into an insured's computer system.
In response, the first discrete social engineering fraud coverages were introduced in Canada in 2014. Unfortunately, some victims of social engineering fraud do not obtain this coverage and, after incurring a loss, seek indemnity under the computer fraud or funds transfer fraud insuring agreements of their policies.
Computer Fraud Coverage
The October 18, 2016 decision of the U.S. Court of Appeals for the Fifth Circuit, Apache Corporation v. Great American Insurance Company,1 is one of the first American appellate decisions to consider coverage for a vendor impersonation scam under "traditional" commercial crime policy wording since the widespread introduction of social engineering fraud coverage. In holding that the resulting loss did not trigger indemnity under the computer fraud coverage, the Fifth Circuit adopted the interpretive approach to computer fraud coverage taken by most other American courts, such as the Ninth Circuit in Pestmaster Services v. Travelers,2 and applied it in the context of social engineering fraud.
Apache is an oil production company which is headquartered in Texas and which operates internationally. An Apache employee received a call from a person claiming to be a representative of Petrofac, a legitimate vendor of Apache. The caller instructed the employee to change the bank account information which Apache maintained for Petrofac. Apache's accounts payable department did so, and began transferring funds for payment of Petrofac's invoices to the new bank account. Apache incurred a net loss of approximately $2.4 million.
Apache maintained a Crime Protection Policy with Great American, and made a claim under its Computer Fraud coverage, which provided that:
We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:
a) to a person (other than a messenger) outside those premises; or
b) to a place outside those premises.
In Great American's view, this coverage applies when an individual improperly accesses, or "hacks", into the insured's computer system and fraudulently causes a transfer of funds, either from the insured's premises or the insured's bank's premises. Accordingly, no indemnity was available to Apache because the @petrofacltd.com email did not cause the transfers in issue; the loss was not the direct result of unauthorized computer use, but rather the subsequent acts of Apache's employees.
The Fifth Circuit accepted Great American's position, relying on numerous American authorities including Pestmaster, in which that Court interpreted the computer fraud coverage to require an unauthorized transfer of funds, rather than simply any transfer which involved both a computer and a fraud at some point.
The Apache Court observed that prior courts had generally refused to extend the scope of the computer fraud coverage to situations where the fraudulent transfer is not a direct result of computer use, but rather a result from other events. In concluding that no indemnity was available under the computer fraud coverage, the Court held that:
The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would, as stated in Pestmaster…, convert the computer-fraud provision to one for general fraud. … We take judicial notice that, when the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between "computer" and "telephone" was already blurred. In short, few – if any – fraudulent schemes would not involve some form of computer-facilitated communication. [emphasis added]
Apache is significant to the insurance industry not only because, like Pestmaster, it reaffirms the intended scope of the computer fraud coverage, but also because it reinforces the purpose behind insurers' recent introduction of discrete social engineering fraud coverage. In our view, a Canadian court should reach the same conclusion if it were to consider similar facts.
Funds Transfer Fraud
On July 4, 2017, the Alberta Court of Queen's Bench released its decision in The Brick Warehouse LP v. Chubb Insurance Company of Canada.3 The Court found that a vendor impersonation loss did not fall within the terms of a crime policy's Funds Transfer Fraud coverage.
The Brick is a retailer of furniture and appliances. An individual called the Brick's accounts payable department claiming to be the controller of one of The Brick's vendors, Toshiba, and indicated that Toshiba had changed banks from the Bank of Montreal to the Royal Bank of Canada ("RBC"). A subsequent email indicated that future payments to Toshiba should be made to the new RBC account, and provided the necessary information to transfer money into the account. No one from the Brick took any independent steps to verify the change in bank accounts, nor did anyone contact Toshiba.
As a result of the fraud, the Brick directed payment on 10 Toshiba invoices to the RBC account. The real Toshiba eventually followed up on its outstanding receivables, at which point the fraud came to light. The Brick incurred a loss of $224,475.
The Chubb policy indemnified for "Funds Transfer Fraud by a Third Party", which was defined as :
… the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by an insured at such institution without an insured's knowledge or consent.
Consistent with American authorities, the Court interpreted the insuring agreement as requiring that the Brick demonstrate that its bank transferred funds out of the Brick's account under instructions from a third party impersonating the Brick. Coverage was not available, as the Brick knew about, and therefore consented to, the instructions given to its bank.
The proliferation of social engineering frauds has created a new exposure for Canadian business. While insurers have responded by creating discrete social engineering fraud coverages, Apache and The Brick serve as a cautionary tale of how a business may be exposed to an uninsured loss in the event that it does not purchase such coverage.
Dominic T. Clarke and Chris McKibbin are partners with Blaney McMurtry LLP in Toronto. Chris is editor of Blaneys Fidelity Blog www.blaneysfidelityblog.com.
- Apache Corporation v. Great American Insurance Company, 2016 WL 6090901 (5th Cir.).
- Pestmaster Services, Inc. v. Travelers Casualty and Surety Company of America, 2016 WL 4056068 (9th Cir.).
- The Brick Warehouse LP v. Chubb Insurance Company of Canada, 2017 ABQB 413.