No matter the size of the company, many employees have received an email similar to the one below. At first glance, the sender’s email address appears to be legitimate, but a closer look reveals a misspelling in the domain name — a “0” in the domain name instead of an “o.”
To: Employee <email@example.com>
From: The Boss <firstname.lastname@example.org>
Employee, Are you in the office? I need you to make an important payment for me. thanks.
The unwitting employee in this scenario may be asked to transfer funds to a fraudulent account under the guise of consummating a key transaction or acquisition. By the time anyone has realized what’s happened, it’s too late and the scammer is off to an island paradise with the company’s money.
As discussed further below, these digital intrusions pose a substantial risk to companies regularly engaging in large-dollar transfers of money, yet insurance options targeted at mitigating such risks remain in their infancy and courts are split on to what extent other policies, for example crime policies, provide coverage for losses incurred.
As a result, companies large and small should, in addition to implementing security training and practices to identify and avoid losses, look closely at their insurance policies to find and fill gaps in coverage for scam-related losses. Moreover, given the uncertain legal landscape, policyholders should be wary of denials of coverage and, if appropriate, work with coverage counsel to challenge such denials.
The hypothetical presented above is one of many types of social engineering phishing scams that are keeping the FBI’s Internet Crime Complaint Center busy. According to the FBI’s 2018 Internet Crime Report, the Internet Crime Complaint Center received a total of 351,936 scam complaints, with losses exceeding $2.7 billion in 2018 alone.
Among the most prolific of these phishing scams are business email compromise scams, in which scammers use a false or spoofed sender address designed to look like it’s from someone the victim knows and trusts — a coworker, a high-level executive, a longtime vendor or even corporate outside counsel — in an email containing language meant to convey a sense of urgency with the goal of tricking the target company, quickly and without thinking, into transferring large sums of money to the scammer’s account. The targeted nature of this approach has earned it the moniker “spear phishing.”
Such scams can be quite sophisticated, with the potential to trick even the most vigilant employees through multilayered deception. For example, in the Medidata case discussed below, a finance department employee received an email purportedly from the company’s president stating that the company was closing on a strictly confidential acquisition and that the employee would be receiving a phone call from an attorney named Michael Meyer.
The employee received a call from a Michael Meyer, who demanded the employee process a wire transfer. The employee told him that she needed approval for the wire by the company’s president, vice president and director of revenue. Thereafter, the employee, the vice president and the direct of revenue all received an email purportedly from the president’s email address requesting the wire transfer.
The employee initiated a wire transfer for over $4.7 million to the bank account provided by “Michael Meyer,” which the vice president and the director of revenue approved. The company turned to its insurer for coverage for the losses suffered as a result of the scam, which led to the recent U.S. Court of Appeals for the Second coverage decision discussed below.
To be sure, the electronic wire transfer industry is a prolific target. In 2018, the Internet Crime Complaint Center reported losses of $1.2 billion due to business email compromise scams involving wire transfers alone. Business of all sizes are affected by targeted attacks; even large, sophisticated companies have fallen victim to such scams.
For example, in 2019, a lone scammer was indicted after he defrauded two U.S.-based internet companies out of more than $100 million by sending emails requesting payment for invoices that looked like they came from a hardware firm that had previously supplied the tech giants.
So how can a company that regularly completes large-dollar transfers in the ordinary course of business protect itself? From a risk management perspective, the best way to ensure that you don’t fall victim to business email compromise scams is to not get hit in the first place. There are a variety of best practices that companies should implement to reduce their risk of falling victim to business email compromise scams.
While the specifics of such best practices are beyond the scope of this article, companies should, at the very least: (1) through training and simulations, educate all staff, including high-level executives, on how to detect and avoid common scams; (2) monitor company accounts on a regular, even daily basis; and (3) implement multi-step and/or multi-authenticator payment control and approval systems, such as call-back verification by phone.
However, companies that regularly transfer large amounts of money by wire should also review their insurance portfolio and consider their current coverage for business email compromise losses. In response to the growing risk of business email compromise scams, some insurers have started to offer new policy forms or endorsements, often referred to as social-engineering coverage, that expressly address this risk. Social engineering coverage remains in its infancy, however, with only a few insurers offering this option, often at low limits of just $250,000.
However, this relatively low limit is insufficient for potential business email compromise scam losses that can be suffered by companies transferring millions of dollars at a time. As this risk continues to evolve, insurers may recognize this gap in the insurance market, albeit perhaps more slowly than the risk is developing. At least one insurance distributor announced in 2019 a new social engineering product offering with coverage limits of between $100,000 to $10 million.
In the absence of business email compromise-specific coverage, various other types of policies may cover business email compromise losses, including commercial crime policies and wrap business insurance policies that include crime or computer fraud coverage. Though wording can vary from insurer to insurer, such insurance policies typically state that to be covered the computer fraud, defined as theft resulting from unauthorized entry into a computer system, must be a direct cause of the loss.
Insurers have denied coverage for business email compromise losses on the basis that: (1) the loss did not result from direct computer fraud because these scams necessarily involve an intervening authorized actor who consummates the transfer; and (2) receipt of scammer emails does not constitute unauthorized entry within the meaning of the computer fraud policy. Policyholders have challenged these defenses in court, with mixed results.
The U.S. Court of Appeals for the Fifth Circuit and U.S. Court of Appeals for the Ninth Circuit have resolved business email compromise claims in favor of insurers. In Apache Corp. v. Great American Insurance Co., one of the earlier decisions considering coverage for business email compromise losses, an Apache employee received a spoofed email requesting a change to a vendor’s banking information.
After confirming the instructions by calling the phone number in the spoofed email, the employee authorized the change to the vendor’s banking instructions and initiated payments for legitimate invoices to the fraudulent bank account. After realizing it had been scammed, the policyholder sought coverage under a computer fraud provision of a crime-protection insurance policy which covered losses “resulting directly from the use of any computer to fraudulently cause a transfer” of property from the policyholder to a third party.
The Fifth Circuit held that there was no coverage under the policy, finding the payments were not a direct enough result of the use of a computer for computer fraud coverage to be available because, although the email was part of the scheme, it was merely incidental to the occurrence of the authorized transfer of money.
The Ninth Circuit followed the reasoning in Apache under a similar fact pattern in Aqua Star (USA) Corp. v. Travelers Casualty and Surety Co. of America, finding that there was no coverage for losses suffered when Aqua Star sent over $700,000 to a scammer’s bank account after the scammer, posing as a vendor, used a spoofed email address to direct Aqua Star to update the vendor’s bank account information.
The court held that because an authorized employee made the changes in Aqua Star’s system to update the account information, it did not constitute an unauthorized entry but rather fell within an exclusion precluding coverage for losses resulting from the input of electric data by an authorized person.
Additionally, in Taylor & Lieberman v. Federal Insurance Co., a policyholder sought coverage under a computer fraud provision after it transferred client funds to a fraudulent account upon instructions received through a spoofed email. The policyholder argued that it was entitled to coverage because the spoofed emails constituted an unauthorized entry into its computer system and the introduction of instructions that propagated themselves through its computer system.
The Ninth Circuit rejected this argument, holding that sending an email, without more, does not “constitute an unauthorized entry into the recipient’s computer system.” Additionally, the court held that the scammer’s emails instructing the policyholder to make payments “are not the type of instructions that the policy was designed to cover, like the introduction of malicious computer code.”
More recent decisions suggest that case law is beginning to shift in policyholders’ favor. In Medidata Solutions Inc. v. Federal Insurance Co., the U.S. District Court for the Southern District of New York expressly rejected Apache as unpersuasive, holding that the scammer’s spoofing of an email address constituted fraudulent entry of data into a computer system sufficient for computer fraud and that, notwithstanding intervening actions by employees to effectuate a transfer of funds to a scammer, the loss was directly caused by the computer fraud.
Thus, Medidata’s losses as a result of the phishing scam were covered under the computer fraud provision in the insurance policy. The Second Circuit affirmed.
Soon after Medidata, the U.S. Court of Appeals for the Sixth Circuit likewise held in American Tooling Center Inc. v. Travelers Casualty and Surety Co. of America that a vendor-impersonation spoofing scheme resulted in a direct loss attributable to computer fraud, covered by the subject policy. There, like in Aqua Star, the company received spoofed emails purportedly from a vendor requesting that payments be wired to a new account.
The court found that direct causation was established notwithstanding the company’s employees’ actions to consummate the wire transfers because they were all induced by the fraudulent email and rejected application of multiple exclusions to bar coverage.
In sum, given the growing risk posed by business email compromise scams to companies whose business models include large-dollar transfers, in addition to implementing protective best practices, companies should proactively review their insurance coverage with an eye toward business email compromise losses.
Policyholders should consult with their brokers about potentially obtaining coverage intended to cover business email compromise risks, either as a standalone policy or as an endorsement to other policies. Should a policyholder fall victim to a business email compromise scam, it should work with coverage counsel to review all potentially applicable lines of coverage. If coverage is pursued, an insurer denial should not be taken at face value given the developing legal landscape and fact-specific nature of coverage related to business email compromise claims, under which policyholders may have strong arguments for coverage even where the subject policies do not expressly address business email compromise claims.
Jason Rubinstein is a partner and Jasmine Chalashtori is an associate at Gilbert LLP. The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
 See e.g., https://www.chubb.com/us-en/business-insurance/social-engineering-fraud-coverage-for-crime-insurance.aspx ($250,000); http://onebeaconml.com/sites/OneBeacon/pdf/Microsites/OBML/Sell%20Sheets/OBML-7_Social_Engineering.pdf ($250,000).
 See https://www.amwins.com/about-us/newsroom/amwins-announces-new-social-engineering-crime-insurance-solution ($100,000 to $10 million).
 662F. App’x 252 (5th Cir. 2016).
 Id. at 259; see also, e.g., Incomm Holdings, Inc. v. Great Am. Ins. Co., No. 1:15-cv-2671-WSD, 2017 WL 1021749, at *8–11 (N.D. Ga. Mar. 16, 2017) (“loss did not result from the use of any computer and, even if it did, the loss did not result ‘directly’ from the computer use” because the loss occurred only when transfers were subsequently made, that is, as a result of further human activity).
 719 F. App’x 701 (9th Cir. 2018).
 Id. at 702.
 2017 WL 929211 (9th Cir. Mar. 9, 2017).
 Medidata Solutions Inc. v. Fed. Ins. Co., 268 F. Supp. 3d 471 (S.D.N.Y. 2017), aff’d, 729 F. App’x 117 (2d Cir. 2018).
 729 F. App’x 117 (2d Cir. 2018).
 Am. Tooling Center, Inc. v. Travelers Cas. & Sur. Co. of Am., No. 17-2014, 2018 WL 3404708 (6th Cir. July 13, 2018).