Sophisticated cyber crimes have been of great interest in the insurance world for the past decade, but relatively low-tech schemes are also a risk to policyholders and to insurers. Tricking an employee to transfer funds to an unauthorized account is a scam that existed prior to wide-spread use of email and the Internet. For example, the fraudster calls the bank employee, pretending to be his supervisor, authorizing a payment to be made ASAP, or a seller provides “updated” information for a wire transfer at a real estate closing, and the title company sends the funds to the wrong account. More recently, perpetrators of these types of social engineering tricks have made use of email to deliver fake payment instructions, and have infiltrated company or employee accounts to obtain necessary credentials or to create the impression of authority. Depending on the facts of a claim and the terms of specific insurance contracts, policyholders who are the victims of such scams may seek coverage under cyber liability policies or under traditional lines such as crime / fidelity and general liability.
The recent decision by the Eleventh Circuit in Principle Solutions Group, LLC v. Ironshore Indemnity, Inc., No. 17-11703 (December 9, 2019), addresses the potential for coverage under a commercial crime policy for a scam in which the controller of the insured company received an email purporting to be from the managing director, asking her to wire funds as soon as possible after receiving details from an attorney, followed by a call that purported to be from a law firm in London providing instructions for transfer to a bank in China. The controller initiated the wire and also responded to questions from a fraud prevention service, incorrectly confirming that the instruction had come from the managing director. This chain of events led to $1.7 million being transferred to the scammers, a loss to the insured entity for which it sought insurance coverage. The company issuing the insured’s commercial crime policy denied coverage, asserting among other things that this scenario did not involve a loss “directly resulting from a fraudulent instruction,” as required under the policy terms. The insured alleged bad faith and brought suit in Georgia state court. The case was removed to federal court by the insurer, where the District Court granted partial summary judgment, finding that the language at issue was ambiguous, but also granting summary judgment for the insurer on the question of whether it acted in bad faith.
The insurer appealed the finding of coverage, and the Eleventh Circuit affirmed judgment for the insured, concluding that the initial email (purportedly from the managing director) and the later email (purportedly from outside counsel) were “part of the same fraudulent transaction,” which together were sufficiently detailed to be a “fraudulent instruction” under the terms of the policy. The Eleventh Circuit also rejected the argument that the loss did not result directly from the fraudulent instruction. It found under Georgia law that intervening acts—here, the series of calls and emails with the purported London attorney and the fraud prevention service—were foreseeable and did not sever the causal chain. The appellate court also rejected the argument that proximate cause should go to a jury, on the basis that the clear evidence could only lead to one reasonable conclusion.
Tricking someone into making an incorrect wire transfer is a scam that can make use of a variety of social engineering elements, including phishing emails, misrepresentations in phone calls and online, and stolen credentials. The facts of each matter and policy language differ, and can lead to different results on the question of what type of policy could be implicated by such a loss. In the Principle Solutions decision, the dissenting judge agreed that the loss involved a “fraudulent instruction,” but would have sent the question of proximate cause to the jury for determination of whether such instruction directly caused the loss. The dissent noted that there were eleven separate steps between receipt of the initial email and the actual transfer of $1.7 million to the fraudster’s account, and that reasonable minds could differ on whether the employee’s incorrect instruction to the fraud prevention unit was the cause of the loss.
For more information regarding this article, please contact Stacey McGraw.
For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2019 Dykema Gossett PLLC.