Vendor impersonation is one of the typical varieties of “Business E-mail Compromise” (BEC) scams. In spoofing the e-mail of a trusted vendor, the fraudster persuades a company to redirect its vendor payments to a fraudulent bank account. While courts have found that commercial crime policies cover loss from BEC scams, a recent Fifth Circuit decision found no coverage for the victim of a vendor-impersonation BEC scam under the computer fraud provision of the company’s crime protection policy. Rejecting the company’s arguments that the coverage provision was ambiguous, the court held that the fraudulent e-mail was not the cause of the fraudulent transfer. Orrick attorneys Russell Cohen, Aravind Swaminathan, and Harry Moren comment on this troubling decision at our sister blog, Trust Anchor.
“Business E-mail Compromise” (BEC) scams, which we have previously discussed, are becoming an increasing concern. The FBI’s most recent report in June 2016 identified a 1,300% increase in reported incidents, reaching 22,000 victims targeted for $3.1 billion. Policyholders victimized by BEC scams should cheer the most recent decision addressing coverage for such scams. In Principle Solutions Group v. Ironshore Indemnity, a federal district court in Georgia ruled on summary judgment that a commercial crime policy covered a BEC scam in which a fraudster deceived a Principle Solutions employee into wiring $1.72 million to an account in China. The court rejected the insurer’s argument that the wire transfer was not directly caused by the BEC scam.
Principle Solutions suffered a hallmark BEC scam. The fraudster sent a spoofed email, purportedly from Principle Solutions’ CEO, to the company’s controller. The spoofed email instructed the controller to work with a specified attorney to wire funds that day for a highly confidential company acquisition. The controller then received an email from the named “attorney” with the wiring instructions. The “attorney” called the controller, representing that the CEO had approved execution of the wire and emphasizing the urgency of the funds transfer.
The controller initiated the necessary steps to execute the transfer that day. She logged into the company’s online account at its financial institution to enable the transfer approval, instructed another employee to create the wire instructions, and approved the wire transfer. The financial institution’s fraud prevention unit flagged the transaction and requested verification of the wire. The controller called the “attorney” to verify how he had received the wire instructions. The “attorney” told her he had received the instructions verbally from the CEO. The controller relayed this information to the financial institution, which then allowed the transaction to proceed.
The company discovered the fraud the next day when the controller told the CEO she had completed the wire transfer. The company immediately reported the fraud but unfortunately could not recover the funds.
Your company’s controller receives an email instruction from your CEO to wire funds to complete a time-sensitive and confidential deal–seems like a clear directive to execute, but it’s not. It’s an increasingly common scam known as the “Business E-mail Compromise” (BEC).
In a BEC scam, as we previously described, fraudsters send spoofed e-mail to trick employees into making unauthorized transfers of funds, generally through wire transfers. The employee, usually a controller or other individual responsible for wiring money, receives an e-mail which appears to be from a high-level company executive, company lawyer or advisor, or even a trusted long-standing supplier or vendor. The e-mail pressures the employee to transfer company funds to a bank account, often offshore, urgently and secretly. The scammers may attempt to add credibility by sending the targeted employee spoofed e-mails from multiple trusted accounts or by plying the employee with fraudulent telephone calls, websites, and documents on formal letterhead. As discussed by our White Collar defense colleagues, victims of the BEC scam have reported to the FBI and international law enforcement agencies over $1.2 billion in exposed losses, much of which occurred in 2015 alone. While being victimized by a BEC scam can be costly, some of these losses may be covered by insurance.