Social engineering fraud, or as it is sometimes called, business instruction fraud, has unfortunately become all too common. In many instances, the defrauded companies’ losses are huge. In a recent insurance coverage dispute, the social engineering fraud loss involved was not as large as some of the others have been. Unfortunately, and notwithstanding the relatively small size of the loss, the court concluded that coverage for the company’s loss was precluded by the “voluntary parting” exclusion in its crime policy. As discussed below, there are still some lessons to be drawn from this case. Eastern District of Virginia Judge John A. Gibney, Jr.’s February 20, 2020 opinion in the case can be found here.
Continue Reading “Voluntary Parting” Exclusion Precludes Coverage for Social Engineering Fraud Loss

As I have noted in prior posts, a recurring challenge many organizations face these days is the threat of “payment instruction fraud,” also sometimes called “social engineering fraud” or “payment impersonation fraud.” In these schemes scammers use official-seeming email communications to induce company employees to transfer company funds to the imposters’ account. Among the many issues arising when these kinds of scams occur is the question of insurance coverage for the loss. Some victims may expect that their cyber liability insurance will cover their loss.

However, as Lauri Floresca of Woodruff-Sawyer points out in her December 5, 2019 post on her firm’s blog entitled “Payment Impersonation Fraud: Why is This Common Cyber Problem Not a Valid Cyber Claim” (here), these  claims rarely involve the kind of cyber security breach required to trigger cyber insurance coverage. Accordingly, there are other steps well-advised companies may want to take to try to protect themselves from these kinds of losses.
Continue Reading Payment Instruction Fraud and Cyber Insurance Coverage

A recent coverage dispute involving a Nevada club’s losses resulting from its employees’ theft from the club’s customers’ credit cards raises interesting issues with implications for coverage questions for other kinds of losses for which policyholders are seeking crime policy coverage. In the recent Nevada club credit card fraud case, District of Nevada Judge Andrew Gordon held that the club’s crime policy did not cover the club’s losses from the employees’ theft of funds from the customers’ credit card accounts because the losses did not result directly from the employees’ theft. Judge Gordon’s August 6, 2018 opinion can be found here. An August 7, 2018 post on the Wiley Rein law firm’s Executive Summary Blog about Judge Gordon’s opinion can be found here.   
Continue Reading Crime Policy Doesn’t Cover Employee Credit Card Overcharge Losses

In the second policyholder-favorable federal appellate court decision on the issue in a matter of days, the Sixth Circuit has held that the Computer Fraud provisions of a commercial crime policy cover a company’s losses from an email payment instruction fraud scheme. Just last week, the Second Circuit ruled in the Medidata case that Computer Fraud coverage applied to losses incurred in a similar email scam. However, the Sixth Circuit’s decision may be even more helpful for policyholders as, unlike the Second Circuit’s decision, the policyholder-favorable ruling is not as dependent on very specific factual determinations about the way the fraudster manipulated the harmed company’s email program. The Sixth Circuit’s July 13, 2018 decision in the American Tooling Center (ATC) opinion can be found here.
Continue Reading 6th Circ.: Crime Policy’s Computer Fraud Section Covers Email Scheme Losses

In a much anticipated decision, on July 6, 2018 the Second Circuit, applying New York law, affirmed a district court ruling that the computer fraud provisions of a commercial crime coverage section covered the losses Medidata incurred when the company’s employees transferred funds in response to a spoofed email. The appellate court’s opinion could prove valuable for other policyholders seeking to establish that their crime policies provide coverage for losses incurred as a result of social engineering fraud (also known as payment instruction fraud). The Second Circuit’s July 6, 2018 opinion can be found here.
Continue Reading Second Circuit: Computer Fraud Coverage Section Covers Fraudulent Email Funds Transfer

Peter S. Selvin

Over the last several days, I have published several posts discussing important insurance developments relating to social engineering fraud, sometimes called payment instruction fraud. In the following guest post, Peter S. Selvin of the TroyGould PC law firm takes a detailed look at one of these recent decisions, the July 2017 decision in the Southern District of New York involving Medidata (discussed here), and compares it to the subsequent American Tooling Center decision out of the Eastern District of Michigan (discussed here). A version of this article previously appeared in the San Francisco Daily Journal. I would like to thank Peter for his willingness to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors in topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Peter’s article.
Continue Reading Guest Post: Groundbreaking Cyber Insurance Decision

Jamieson Halfnight
Anne Juntunen

As many readers are aware, there have been a number of recent case decisions addressing insurance coverage issues arising out of social engineering fraud, sometimes known as payment instruction fraud. The recent round of judicial decisions includes a ruling by a Canadian court. In the following guest post, Jamieson Halfnight and Anne Juntunen of the Lerners law firm in Toronto review the recent Canadian decision and discuss it in the context of several recent rulings in the U.S. I would like to thank Jamie and Anne for their willingness to allow me to publish their guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Jamieson and Anne’s guest post is set out below.
Continue Reading Guest Post: First Canadian Cyber-Coverage Decision Joins Series of U.S. Judgments on Social Engineering Frauds

Just days after a Southern District of New York judge ruled in the Medidata Solutions decision that the Computer Fraud section of a commercial crime policy covered losses from social engineering fraud  (as I discussed in a post last week), a judge in the Eastern District of Michigan has held that a crime policy’s computer fraud section did not apply to social engineering fraud. Eastern District of Michigan Judge John Corbett O’Meara concluded, based on the specific policy language at issue, that the computer fraud coverage only applied when the fraud directly caused the loss, and that because there had been intervening steps between the computer fraud and the transfer of funds, the coverage did not apply. As discussed below, these recent decisions underscored the problems facing policyholders as they seek insurance coverage for social engineering fraud losses. Judge O’Meara’s August 1, 2017 opinion can be found here.
Continue Reading More about Crime Coverage and Social Engineering Fraud

One of the more vexing threats in the current business environment is the rise of “social engineering fraud” or “payment instruction fraud.” In these schemes scammers using official-seeming email communications induce company employees to transfer company funds to the imposters’ account. Among the many issues involved when these kinds of scams occur is the question of insurance coverage for the loss. In many instances, insurers take the position that because the schemes do not involve a “hacking” of the company’s systems and because the actual funds transfers are voluntary, the loss of funds is not covered under commercial crime policies.

However, in a July 21, 2017 decision (here), Southern District of New York Judge Andrew L. Carter, Jr., applying New York law, held that Mediadata Solutions Inc.’s commercial crime policy covered the company’s loss of $4.77 million transferred in response to an email instruction that falsely appeared to be from the company’s President. The court’s decision raises and addressed a number of interesting issues, as discussed below.
Continue Reading District Court Holds Crime Policy Covers Payment Instruction Fraud

FBIThere recently has been a “dramatic rise” in the incidence of business e-mail compromise (BEC) scams, according to an April 4, 2016 alert from the Federal Bureau of Investigation (here). In these schemes, which are also often referred to as “social engineering fraud” or “payment instruction fraud,” scammers using official seeming email communications induce company employees to transfer company funds to the imposters’ account. According to the FBI, during the period October 2013 through February 2016, law enforcement agencies have received reports of this type of fraud involving 17,642 victims. Complaints involving these kinds of fraudulent schemes have arisen in every U.S. state and 79 different countries and amount to over $2.3 billion losses. As discussed below, these types of schemes are not only a growing concern, but they are increasingly the source of insurance coverage disputes, as well.
Continue Reading The Growing Risk of Payment Instruction Fraud and Related Insurance Coverage Problems