The term Social Engineering keeps cropping up recently in the new world of cybersecurity—to what does this term refer? To a scam as old as the hills. You know the con: an innocuous person asks you to accept a cashier’s check to deposit in your account, and in return just asks you to give them cash—not even the whole face amount—you can keep some for your troubles. Or, a lady dressed as a nun shows you a check she tells you is a donation and asks if she can sign it over to you in return for cash as she does not have time to go to the bank? These cons worked well when we had to stand in line for a teller, but are less prevalent now.
More modern versions include an unsolicited email from an overseas potential new client sent to a gullible lawyer: this client just settled her case and needs a local lawyer with a trust account so that the other party’s settlement money – a cashier’s check – can be deposited and distributed to her. The cashier’s check will come in the mail to the lawyer. More work will follow and this new client is happy to sign a retainer agreement and pay for the services—out of the cashier’s check, of course. The balance is to be wired to the putative client. We have actually seen such scams succeed.
Other sophisticated versions include the fake email messages designed to fool the unwary into clicking into malware, downloading malicious software, and verifying passwords to allow access to private information including, of course, bank accounts. These can be very clever where the hacker impersonates legitimate businesses, people you know, even your company’s own network administrator. Consider this example: **URGENT ** Email from CFO: Please wire funds immediately to our supplier in China because we MUST keep production on line!! Hopefully the salesman will not fall for it.
Other than being hyper-vigilant and careful about any suspicious emails (hint: be sure to pay close attention to the email address of the sender) is there insurance in the event of a loss? This depends on the loss, of course. Installing malware may or may not be covered in a CGL—if actual damage to tangible property occurs—a destroyed hard drive or unusable laptop, for example, coverage may well be possible.
Loss of money, securities or other property, by fraudulent means is often purportedly covered in Crime or fidelity policies. Cyber-crime coverage would appear to cover loss of money by way of computer fraud. However, insurers will resist coverage for these losses in traditional policies, and even Computer Crime policies by arguing that inducing an insured to transfer funds under false pretenses is not theft but rather a voluntary transfer by the insured! Shockingly, some courts have agreed—Great American v AFS/BEX Fin. Servs. Inc., 2008 U.S. Dist. LEXIS 55532 (N.D. Tex.); Pinnacle Processing Group Inc. v Hartford Cas. Ins., 2011 U.S. Dist. LEXIS 128203 (W.D. Wash.); Pestmaster Serv. v. Travelers, 2014 LEXIS 108416 (C.D. Cal.)
Occasionally, courts will enforce coverage for an insured, but only where the insured can show that the thief used instructions that purport to have been authorized, and the insured can otherwise jump through the many hoops required in the policy to obtain the policy benefits. Sb1 Fed. Credit Union v. FinSecure LLC, 2014 U.S. Dist LEXIS 49596 (E.D. Pa.); Morgan Stanley, et al v. Chubb, 2005 NJ Super. Unpub. LEXIS 798 (N.J.); Northside Bank v. American Casualty Co., 2001 WL 34090139 (Pa.)
This highlights the importance of carefully reviewing Crime Coverage, including Computer Crime coverage to determine if the policy language can be negotiated to actually cover fraudulent inducement accomplished over the internet as a computer crime. Terms of the Cyber Insurance policies are often negotiable and a consultation with knowledgeable coverage counsel is recommended so that paying the premiums will not be a futility, and so that when a loss occurs, the policyholder will not suffer a second unexpected loss of insurance coverage.
