Cyber crime continues to be a growth industry. In 2017, the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) received 301,580 complaints with reported losses exceeding $1.4 billion. Email-related fraud is significant, with phishing schemes ranked in the top three types of Internet crime along with nonpayment/non-delivery and personal data breach. Business email compromise (BEC) schemes, however, continue to grow and evolve. IC3 reports that, worldwide, BEC losses exceed $12 billion, having increased 136 percent between December 2016 and May 2018.
Email schemes may involve direct hacking into a victim’s computer or social engineering techniques. In a common social engineering scenario, a company’s employee, relying on one or more emails appearing to be from a legitimate source, will cause funds to be transferred to a purported customer or vendor. In reality, the recipient is an imposter diverting the funds from the appropriate payee.
As social engineering schemes have grown and evolved, so too has the body of case law addressing whether crime coverage policies provide coverage to insureds who fall victim to email fraud. Multiple decisions have grappled with whether social engineering schemes constitute covered “computer fraud” under such policies. The issue is complex because such schemes typically involve some kind of human error, thus raising questions concerning whether the email was the proximate cause of an insured’s loss. While decisions are mixed, a number of recent cases have held in favor of coverage, leading to speculation of an emerging trend.