“Business E-mail Compromise” (BEC) scams, which we have previously discussed, are becoming an increasing concern. The FBI’s most recent report in June 2016 identified a 1,300% increase in reported incidents, reaching 22,000 victims targeted for $3.1 billion. Policyholders victimized by BEC scams should cheer the most recent decision addressing coverage for such scams. In Principle Solutions Group v. Ironshore Indemnity, a federal district court in Georgia ruled on summary judgment that a commercial crime policy covered a BEC scam in which a fraudster deceived a Principle Solutions employee into wiring $1.72 million to an account in China. The court rejected the insurer’s argument that the wire transfer was not directly caused by the BEC scam.
Principle Solutions suffered a hallmark BEC scam. The fraudster sent a spoofed email, purportedly from Principle Solutions’ CEO, to the company’s controller. The spoofed email instructed the controller to work with a specified attorney to wire funds that day for a highly confidential company acquisition. The controller then received an email from the named “attorney” with the wiring instructions. The “attorney” called the controller, representing that the CEO had approved execution of the wire and emphasizing the urgency of the funds transfer.
The controller initiated the necessary steps to execute the transfer that day. She logged into the company’s online account at its financial institution to enable the transfer approval, instructed another employee to create the wire instructions, and approved the wire transfer. The financial institution’s fraud prevention unit flagged the transaction and requested verification of the wire. The controller called the “attorney” to verify how he had received the wire instructions. The “attorney” told her he had received the instructions verbally from the CEO. The controller relayed this information to the financial institution, which then allowed the transaction to proceed.
The company discovered the fraud the next day when the controller told the CEO she had completed the wire transfer. The company immediately reported the fraud but unfortunately could not recover the funds.