Media outlets recently reported that Barbara Corcoran, one of the judges on the popular ABC show “Shark Tank,” was the victim of a “spear phishing” scam. See, e.g., https://www.cnn.com/2020/02/27/business/barbara-corcoran-email-hack-trnd/index.html. “Spear fishing” is a form of “phishing” in which someone sends an e-mail to a company employee pretending to be a trusted source, either to obtain money or access to the company’s computer system. See https://usa.kaspersky.com/resource-center/definitions/spear-phishing. In Corcoran’s case, the scammer pretended to be Corcoran’s assistant and sent an e-mail to her bookkeeper asking for nearly $400,000 for a renovation payment for some property. The scammer imitated the assistant’s e-mail address and misspelled it by one letter. No one caught the mistake and the money was wired to the fake e-mail address. Fortunately for Corcoran, the bank used for the transfer froze it before the money could be deposited into the scammer’s bank account in China. See https://www.cnn.com/2020/03/02/business/barbara-cocoran-email-hack-money-returned/index.html.
Corcoran’s near miss notwithstanding, such scams are all too common. The Wall Street Journal reports that in 2019, the FBI received 23,775 complaints of business e-mail and e-mail account scams, up from 20,373 in 2018. See Corinne Ramey, Email Scams Get Savvier, Target Businesses, Wall St. J., Feb. 28, 2020, at A2. The annual estimated losses also increased, from $1.2 billion in 2018 to over $1.7 billion in 2019. Id. The number of complaints and amount of losses are likely significantly higher, given that many companies do not report when they have been the victims of such scams. Id. The newspaper further reports that scammers are becoming more sophisticated and are continually coming up with new versions of phishing and spear fishing scams. Id.
When cyber liability insurance first came out, it focused on insuring businesses from losses caused by unauthorized access to consumers’ personally identifiable information: credit card numbers, health information, etc. Bigger enterprises with large amounts of such data were seen to be the primary targets of efforts by “hackers” to obtain this data. Smaller businesses and those that do not interface directly with consumers consequently did not necessarily see the need for cyber insurance. Now, however, every business that operates by e-mail (i.e., every business), is at risk of being a victim of e-mail scams. And, as Corcoran’s experience shows, business savvy is no guarantee of protection.
Fortunately, insurance exists that protect businesses from “phishing” and other “social engineering” scams. Most such insurance is not sold as a stand-alone product, but rather can be purchased as part of a cyber liability or fiduciary/crime policy for an additional premium. Not all such coverage is created equal, however. There is no standard form of social engineering insurance and the terms and limitations can vary widely. For example, some policies require the insured to have followed “callback verification” or other security procedures prior to wiring the money. See, e.g., Johns Hopkins Fed. Credit Union v. Cumis Ins. Soc’y, Inc., No. RDB-09-2009, 2010 U.S. Dist. LEXIS 29351, at *4-5 (D. Md. Mar. 26, 2010). Other policies limit coverage only to e-mails that purport to have been sent from certain specified individuals or entities – e.g., company executives or vendors or clients – or require the e-mails to have been received by employees who are responsible for processing requests to transfer money. When considering purchasing social engineering coverage, an insured may find it beneficial to consult with professionals – attorneys and brokers – who can assist them in negotiating for favorable terms that will stand up in court in the event of a coverage dispute.
There is little in the way of published case law discussing or interpreting social engineering insurance, but what there is suggests that insurers are prepared to dispute claims. For example, in Principle Sols. Grp., LLC v. Ironshore Indem., Inc., 944 F.3d 886 (11th Cir. 2019), the insured lost over $1.7 million in a phishing scheme in which a scammer posed as one of the insured’s executives and persuaded an employee to wire money to a foreign bank account. Id. at 888. The insured’s controller received an e-mail purporting to be from the insured’s managing director, informing the controller that the insured had been working in secret on an acquisition and asking the controller to wire money for the transaction. Id. The e-mail further instructed the controller to wait for further instructions from an attorney supposedly working on the transaction. Id. The controller then received an e-mail from the alleged attorney with details on where to wire the money. Id. In a subsequent telephone call, the purported attorney confirmed to the controller that the managing director had approved the wire transfer. Id. The controller then authorized the insured’s bank to wire more than $1.7 million from its account to the supposed Chinese bank account. Id.
After the insured discovered the fraud it notified its insurer of the loss under a commercial crime insurance policy. Id. The policy covered “loss resulting directly from a fraudulent instruction directing a financial institution to debit [the insured’s] transfer account and transfer, pay or deliver money or securities from that account.” Id. “Fraudulent instruction” was defined as an “electronic or written instruction initially received by [the insured], which instruction purports to have been issued by an employee, but which in fact was fraudulently issued by someone else without [the insured’s] or the employee’s knowledge or consent.” Id. at 890.
The insurer denied coverage because it claimed that the initial e-mail purportedly from the managing director did not “direct” the insured to transfer money but only told the controller to await further instructions from the purported attorney. Id. at 889. Conversely, according to the insurer the e-mail from the purported attorney may have “directed” the transfer, but it was not a “fraudulent instruction” because it had not come from a purported employee of the insured. Id. at 891. In addition, the insurer argued that the insured’s bank had initially held the transaction pending confirmation from the controller, which along with the alleged attorney’s involvement were “intervening events” between the instruction and the transfer. Id. at 889.
The Eleventh Circuit rejected the insurer’s “divide-and-conquer approach” and held that the policy covered the $1.7 million loss. It found that the initial e-mail allegedly from the managing director was a “fraudulent instruction” that, together with the purported attorney’s subsequent e-mail, directed the insured to wire the money. Id. at 891. The court noted that “nothing in the policy language warrants the assumption that the two emails could not be part of the same fraudulent instruction.” Id. “Viewing the emails together, the sole purpose of [the attorney’s] email was to provide details to effectuate an explicit instruction to make a wire transfer.” Id. Therefore, both e-mails constituted one fraudulent instruction. Id.
The court also rejected the argument that the controller’s discussions with the purported attorney and the insured’s bank were “intervening events” that broke the causal chain between the initial e-mail and the transfer. The phrase “resulting directly from” requires “proximate causation between a covered event and a loss, not an ‘immediate’ link.” Id. A “proximate cause is not necessarily the last act or cause, or the nearest act to the injury.” Id. at 892. The court concluded that the controller’s communications with the attorney and the bank were not “intervening causes” because the “original wrongdoer” (i.e., the scammers) could have foreseen that their initial e-mail would have caused the controller to communicate with the attorney and the bank. Id. Therefore, the initial fraudulent e-mail was a proximate cause of the insured’s loss. Id.
As much as we all like to think that we would not fall for phishing scams, the reality is that many of us will at some point. Therefore, it is best to be prepared for such eventuality by at least considering social engineering insurance. Experienced coverage attorneys can assist insureds in negotiating the insurance, and those same attorneys can help resolve claims in the unfortunate event that they occur.
