The number of decisions considering claims for insurance coverage resulting from Business Email Compromise (“BEC”) scams has been increasing, providing policyholders with some hope, and some clarity, in this muddy area. (Here and here).
Policyholders got a recent win when a federal court in New York found in Medidata Solutions, Inc. that a data-services provider’s commercial crime policy covered an almost $5 million loss suffered as a result of a BEC scam. The Court in Medidata found coverage under the insured’s computer fraud and funds transfer rider, reasoning that “fraudulent access to a computer system” extends to email spoofing. Parting company with the Fifth Circuit in Apache , the Court in Medidata recognized that such spoofing can be a legal cause of the insured’s loss. And even though an authorized employee willingly initiated the transfer, the funds were not transferred with Medidata’s “knowledge or consent.”
Despite recent wins, there remains enough uncertainty in the coverage landscape (here and here) that we suspect insurers will continue their full-on fight against coverage for these losses. To help policyholders prepare for battle, here are five things you can do NOW to maximize insurance coverage for losses from a BEC scam. READ MORE
Insurers’ recalcitrance to providing coverage for the “Business E-mail Compromise” (BEC) scam is a topic we’ve frequently discussed. On Monday, the Ninth Circuit heard oral argument in a BEC coverage action, Taylor & Lieberman v. Federal Insurance Company.
The fraudster in that case sent spoofed e-mails in 2012 to an accounting firm purporting to be from one of the firm’s clients. At the “client’s” request, the accounting firm executed two wire transfers from the client’s bank account, over which the firm had power of attorney, in amounts just under $100,000 each to banks in Malaysia and Singapore. The firm finally detected the scheme when it called the client for confirmation after receiving a third e-mail requesting another transfer of $128,000 to Malaysia. The accounting firm was able to recover most of the first wire transfer but nothing from the second, resulting in a $100,000 loss to the client’s account, which the firm restored.
The coverage landscape for “Business E-mail Compromise” (BEC) scams remains somewhat tenuous, as organizations and carriers continue to battle in court over the extent of coverage. Although recent positive, policyholder-friendly trends in the Eighth Circuit (hacker who took over a bank’s computer system) and federal district court in Georgia (scheme based on spoofing a CEO’s e-mail) found insurance coverage for fraudulently transferred funds, a recent unpublished Fifth Circuit opinion moves in the other direction. Unfortunately, this new ruling—and the uncertainty it creates—may embolden insurers in fighting coverage for these scams under crime insurance policies.
“Business E-mail Compromise” (BEC) scams are becoming an increasing concern. The FBI’s most recent report in June 2016 identified a 1,300% increase in reported incidents, reaching 22,000 victims targeted for $3.1 billion. Policyholders victimized by BEC scams should cheer the most recent decision addressing coverage for such scams. In Principle Solutions Group v. Ironshore Indemnity, a federal district court in Georgia ruled on summary judgment that a commercial crime policy covered a BEC scam in which a fraudster deceived a Principle Solutions employee into wiring $1.72 million to an account in China. The court rejected the insurer’s argument that the wire transfer was not directly caused by the BEC scam.
Principle Solutions suffered a hallmark BEC scam. The fraudster sent a spoofed email, purportedly from Principle Solutions’ CEO, to the company’s controller. The spoofed email instructed the controller to work with a specified attorney to wire funds that day for a highly confidential company acquisition. The controller then received an email from the named “attorney” with the wiring instructions. The “attorney” called the controller, representing that the CEO had approved execution of the wire and emphasizing the urgency of the funds transfer.
The controller initiated the necessary steps to execute the transfer that day. She logged into the company’s online account at its financial institution to enable the transfer approval, instructed another employee to create the wire instructions, and approved the wire transfer. The financial institution’s fraud prevention unit flagged the transaction and requested verification of the wire. The controller called the “attorney” to verify how he had received the wire instructions. The “attorney” told her he had received the instructions verbally from the CEO. The controller relayed this information to the financial institution, which then allowed the transaction to proceed.
The company discovered the fraud the next day when the controller told the CEO she had completed the wire transfer. The company immediately reported the fraud but unfortunately could not recover the funds.
In March, we reported on the Business E-mail Compromise (BEC) scam where criminals target employees responsible for wiring company money, and trick them into wiring money under false pretenses to fraudulent accounts controlled by the criminals. In recent months, the FBI has identified a new trend in the BEC scam, and a similar emerging scheme that primarily targets employees from spoofed email accounts (E-Mail Account Compromise or EAC). The FBI estimates that these scams have claimed over 8,000 victims and resulted in losses totaling nearly $800 million since October 2013. This reflects a 4x increase from our initial report in March, when the figures attributable to this scam stood at roughly 2,000 victims and $215 million in losses.