A Hypothetical Social Engineering Scenario

Imagine a company orders a large monetary amount of product from a longtime vendor. The company receives the product and standard invoice. Before remitting payment, an employee of the company receives an email from a familiar contact in the vendor’s accounts receivable department advising of new banking information and supplying new wire instructions. Although the employee should call the contact to confirm the wire instructions, the email address and signature block are the same as in earlier emails. The employee wires the money and carries on with business as usual.

Later, the employee receives an email from the contact at the vendor inquiring about payment as funds had not been received. The invoice was doctored, its sender used a “spoofed” email, the wired funds went to an impersonator, and the company has lost the money.

The next question: do we have insurance? Well, it depends.

This hypothetical described is a common example of a social engineering fraud – a scam designed to exploit a person’s trust to manipulate them. Social engineering fraud is not new but it has risen to another dimension in the digital age, likely because it can be accomplished from behind a computer and requires no actual human interaction.

Victims turn to their insurance policies for coverage, generally seeking reimbursement under crime policies. These coverages typically require the policyholder to suffer a “direct loss” of money or other securities through one or more communication channels. For example, some policies require the “use of a computer,” others allow telephone, written or electronic instruction.

Perhaps unsurprisingly, policyholders and insurers have disagreed over whether scenarios like the hypothetical described above represent “direct loss” for the policyholder. When a policyholder pays an imposter for goods it received from a vendor and the policyholder retains the goods, questions are raised:

• Did the policyholder suffer any loss at all at the time the funds are transferred?
  
  
• Does the policyholder have to issue another payment to the real vendor?
  
  
• If an employee is an unknowing participant in the fraudulent scheme and voluntarily processed payment, does that sever the causal relationship required to qualify as a “direct loss”?
  
  

Outcomes of Social Engineering Claims Vary

Case law addressing these precise questions under a social engineering insuring agreement is scarce and this has occasionally resulted in a bit of a quagmire during the claim adjustment process. Fortunately, numerous courts have analyzed the meaning of “direct loss” in other contexts, and these may be used to inform how these questions may be resolved. Recent cases have tended to trend in favor of finding that a policyholder suffers a “direct loss” when a social engineering scam results in funds being transferred to an impersonator, even where the policyholder retained the goods it received and the employee unknowingly participated in the fraudulent scheme. However, case law still exists in other jurisdictions that strictly interprets similar issues, albeit outside of the social engineering insuring agreement, and hold that a “direct loss” requires the fraudster to access the policyholder’s computer system and that no employees knowingly transferred the funds.

One notable court decision squarely addresses many of these instructive issues. A services and equipment company was duped into paying an imposter in a similar way as the hypothetical described above. The company sought reimbursement under the computer fraud coverage part of its policy which provided coverage for “the Insured’s direct loss of, or direct loss from damage to, Money, Securities and Other Property directly caused by computer fraud.” The term “computer fraud” was defined as the “use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Financial Institution Premises.”

The insurer denied the claim, asserting a variety of arguments. The insurer argued that the company had retained the product it intended to purchase from the vendor and thus did not suffer a “direct loss” when it made the fraudulent payment. According to the insurer, the company suffered a loss only later when it agreed to pay the vendor the money that was still owed. In addition, the insurer argued that, under the definition of “computer fraud,” there must be hacking or a similar behavior in which a bad actor gains access to the policyholder’s computer, not merely that the use of a computer resulted in the fraudulent transfer. Ultimately, the Sixth Circuit rejected both insurers’ arguments.¹

Continuing the trend of favorable outcomes for policyholders, another notable decision involved a scam perpetrated by an employee. The policyholder owned a hotel that paid commissions to third-party travel agents in return for booking rooms at the hotel. One of the hotel’s employees exploited his position to divert $1 million in commissions owed to legitimate travel agencies to his own accounts. The hotel provided notice to its crime policy, which provided coverage “for loss resulting directly from dishonest acts committed by an employee.” The insurer denied coverage, arguing that the hotel did not suffer a loss when the employee diverted the commission payments because the hotel never paid the actual travel agencies. In other words, the insurer argued that the hotel “did not suffer a loss if the disbursement to [the employee] or his fictitious travel agencies offset a liability owed to a third party.”

The court rejected the insurer’s argument, finding that the “critical element for determining whether a loss occurred is whether there has been a disbursement of funds to the wrongdoer” and the fact that the policyholder contractually owed money to the agencies had no bearing on whether the loss was directly suffered by the policyholder.² These decisions reflect a trend away from an earlier line of decisions that narrowly interpreted these types of coverages to require a “more direct” and traditional loss.

One of those earlier cases involved analyzing whether the policyholder’s loss “result[ed] directly from the use of a computer.”³ The facts involved a fraudster that called a natural resources company pretending to be a representative of one of their vendors and requested a change in banking information. The company’s employee advised the fraudster that the change-request could not be processed without a written request on a company letter head. The fraudster then emailed the company from a spoofed email address impersonating the vendor and submitted a change-request form on the vendor’s letterhead. The change of banking information went through a series of verification steps, including calling the number on the letterhead and confirming the change. A week later the change went into effect, resulting in millions being transferred to the fraudster in payment for legitimate invoices.

After the company uncovered the fraud, it submitted the loss to its computer fraud policy, which covered “loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property.” The insurer denied coverage, asserting that the loss did not result directly from the use of a computer and a computer did not cause the transfer of funds.

The Fifth Circuit agreed with the insurer and held that the company was not entitled to coverage. The court determined that all the other steps involved in the fraud – the initial phone call from the fraudster; the altered letterhead; the verification process; the company’s initiation of payment of legitimate invoices – were not computer-based and the true cause of loss. The court concluded that, “[t]o interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would . . . convert the computer-fraud provision to one for general fraud.”

Conclusion

Developments in technology, including the proliferation of artificial intelligence, have the potential to exacerbate social engineering attacks. While every claim is unique and will turn on the policy and facts at issue, recent social engineering claim submissions have largely not encountered the “direct loss” issue. Nevertheless, if such disputes arise, more recent decisions suggest a trend that would favor finding coverage for social engineering losses under crime policies.

The best way to avoid having a disputed claim in the first place is to understand your coverage. Policyholders should confer with their advisors and brokers to determine whether specific social engineering fraud coverage – which is widely available in the market – makes sense for their organization. When a claim does arise, policyholders should work with their broker and counsel to ensure productive dialogue with the insurer to maximize coverage and minimize the potential for disputes. If you have questions or are interested about coverage, please contact your Aon broker.

1 American Tooling Center, Inc. v. Travelers Casualty & Surety Company of America, 895 F.3d 455 (6th Cir. 2018)
2 M&C Holdings Del. P'ship v. Great Am. Ins. Co., 2021 U.S. Dist. LEXIS 23691, (S.D. Ohio 202)
3 Apache Corporation v. Great American Insurance Co., 662 F. App’x 252 (5th Cir. 2016)

Contact

Adam Furmansky is a Senior Vice President and Deputy D&O Product Leader – East with the Financial Services Group at Aon.

Kevin Small is a Counsel and Alice Weeks is an Associate at Hunton Andrews Kurth LLP.

Adam Furmansky
Senior Vice President, Deputy D&O Product Leader - East
New York