How Email-Based Social Engineering Schemes Work
The criminal indictment in United States v. Adindu provides a useful overview of how email-based social engineering claims are perpetrated. According to that indictment, Adindu and his co-conspirators targeted individual employees at companies around the world, sending these employees emails purporting to be from supervisors or third-party vendors that did business with those companies. The perpetrators sent their emails from accounts similar to the impersonated parties’ actual email addresses or sent spoofed emails, which appeared as if they were sent from the impersonated parties’ legitimate email addresses. The emails provided directions for the recipients to send wire transfers to third-party bank accounts. After the victims sent wire transfers to the accounts identified in the emails, Adindu and his conspirators withdrew the funds or moved them to new bank accounts. From 2014 through 2016, Adindu and his conspirators targeted thousands of victims worldwide, attempting to defraud them out of millions of dollars.
Three basic methods are used for perpetrating an email scheme: (1) using similar email domains; (2) “spoofing” or manipulating an email header to disguise the true sender of the email; and (3) utilizing email intrusion, in which the perpetrator, unable to access directly the systems needed to effectuate a theft, uses an email account to trick others with access. Having a basic understanding of the mechanics of an email-based scheme will allow a claim handler to better understand the claim and the ways in which the insured can protect itself from a subsequent event.
Some Perpetrators Register and Use Email Domains Similar to the Parties’ Actual Email Domains
The use of similar domain names is straightforward and can be easy to miss, as most recipients do not closely scrutinize the sender’s email address. In a similar domain name scheme, the perpetrator may, as alleged in the Adindu indictment, register an email domain similar to the company’s actual domain. For example, the perpetrator may register the domain “compony.com” to trick the recipients of emails from “company.com.” After creating the similar domain, the perpetrator may create email addresses that otherwise match the employee’s or vendor’s actual email address except for the one letter in the newly created domain (for example, “vendor1@com
pony.com” instead of “[email protected]”). In some claims that the authors handled, the perpetrators created a false domain for the insured and used that domain to communicate with the vendor, assuring the vendor that payment was coming to prevent the vendor from contacting the insured for the missing payment. This tactic allows the perpetrator to misdirect additional payments and allows additional time for the misdirected funds to settle and be moved out of the recipient bank before anyone learns of the scheme.
Other Perpetrators “Spoof” an Email, or Manipulate the Email Header to Make It Appear the Email Was Sent from Someone Else
A perpetrator may also engage in spoofing, in which the sender alters the email header to make the email appear to be from a different sender than the email was actually sent from. An email contains two basic parts: (1) a message envelope, which contains all the information needed to transmit the email from the sender to the recipient; and (2) the message content, which includes the header fields that the recipient can view. Email recipients do not see the email envelope, as it is only used to send the email and is not part of the actual email message. In a spoofing scheme, the perpetrator manipulates the email header to make it appear that the email was sent from a different email address than that from which it was actually sent (the actual email address appears in the email “envelope”).
The below header information shows an example of a spoofed email (sent from one of the authors’ IT team to train the firm employees). A tell-tale sign of a spoofed email is that the “Reply-To” line reveals a different email address than the “From” line.
From: FedEx <[email protected]>
Date: March 12, 2021 at 6:23:03 PM CST
To: Katherine Musbach <[email protected]>
Subject: Package Could Not Be Delivered
Reply-To: FedEx <[email protected]>
The full email headers can be viewed by going to File > Properties in Microsoft Outlook.
Two tools may help to filter out spoofed emails—Sender Policy Framework (SEF), which specifies the IP addresses of the servers authorized to send email for the sender’s email domain (e.g., “@company.com”), and Domain Keys Identified Mail (DKIM), a digital signature embedded in the email used to authenticate the email. Domain-Based Message Authentication, Reporting and Conformance (DMARC) works with SPF and DKIM to authenticate email, allowing the managers of email domains to set rules for inbound and outbound email to quarantine emails that fail the SPF and DKIM authentication protocols. Most email services use these tools to combat spoofing, and these email services have default settings that enable some level of protection.
In Email Intrusion, the Perpetrator Utilizes the Impersonated Party’s Actual Email Account
The final method of perpetrating an email-based scheme is email intrusion, in which the perpetrator gains access to the customer’s or vendor’s actual email system. This can happen through a phishing attack in which the recipient clicks on a malicious link or attachment. The link or attachment will install malware on the recipient’s device. Other perpetrators will use compromised passwords to access email accounts that lack multifactor authentication or are utilizing older applications that use legacy authentication (in which case, even if the insured has multifactor authentication enabled, the bad actor can bypass this control by logging in to the compromised account through older applications that do not support multifactor authentication). Once inside the compromised email account, the perpetrator will send emails attempting to deceive others into transferring funds. In these schemes, although the perpetrator may have gained access to an email account, the perpetrator has not been able to gain the access necessary to directly transfer funds and, therefore, must resort to social engineering.
Depending on the scope of the carrier’s social engineering coverage, whether the perpetrator used similar domain names, spoofing, or email intrusion may impact coverage. As such, it is helpful for the claim handler to understand how the email scheme was perpetrated. These issues may impact the insured’s decision regarding whether to resubmit payment to a vendor or negotiate a discount to limit the loss. The claim handler will also want to be aware of factual scenarios that could implicate larger issues. For example, if email intrusion was used to send an email from one of the insured’s email accounts, the insured will likely want to contact its cyber carrier (if applicable) and engage breach specialists to ensure that any compromise is resolved. Understanding the method through which the scheme was perpetrated can also impact analysis of subrogation rights and a potential recovery action.
Social Engineering Endorsements Provide Coverage for Some Email-Based Social Engineering Losses
Social engineering endorsements are designed to provide some coverage for specific email-based social engineering schemes. No industry standard insuring agreement exists for social engineering loss, as insurers typically offer this coverage through endorsement. Common endorsements include the corporate deception fraud endorsement, fraudulent impersonation endorsement, fraudulent instruction endorsement, and social engineering endorsement. Despite the many different forms of coverage available for social engineering, a typical endorsement applies coverage for a loss resulting directly from the insured transferring, in good faith, money or securities in reliance upon an instruction directed to the insured to transfer such money or securities from a person purporting to be an employee, customer, vendor, or authorized person of the insured. The typical endorsement further requires that the instruction intentionally misleads an employee through a fraudulent misrepresentation of a material fact, which is relied upon by an employee. The instruction also must have been issued fraudulently by an imposter purporting to be an existing customer, vendor, or employee without the knowledge or consent of the insured, employee, customer, vendor, or authorized person. For example, the Fraudulent Impersonation Endorsement provides:
We will pay for loss resulting directly from your having, in good faith, transferred “money”, “securities” or “other property” in reliance upon a “transfer instruction” purportedly issued by [an “employee”, “customer” or “vendor” as defined therein] but which “transfer instruction” proves to have been fraudulently issued by an imposter without the knowledge or consent of [the “employee”, “customer” or “vendor”]
Some endorsements may have a verification procedure, which must be followed as a prerequisite to coverage. When the endorsement has a verification procedure prerequisite, the insured must verify all “transfer instructions” or all “transfer instructions” in excess of an agreed amount “according to a pre-arranged callback or other established verification procedure. . . .”
In evaluating a fraudulent impersonation claim, the claim handler will want to request sufficient information to verify the key coverage requirements. This information includes the “transfer instruction,” the identity of the individual purportedly issuing the instruction, the transfer made, and, where applicable, evidence of the verification procedure and how it was followed. To properly evaluate these elements of coverage, the claim handler may want to request:
- The “transfer instruction,” which is typically an email: It can be helpful to request the email(s) in .pst format, as this format provides the claim handler with additional information about the instruction. If the email is provided in .pst format, the claim handler can look at the email header and envelope to determine if the email was sent through use of similar domains, spoofing, or email intrusion. If it appears that the perpetrator used email intrusion (the vendor or employee’s actual email address), the claim handler will want to verify that the individual whose email address was used did not in fact send the email. In the case of email intrusion, the insured or vendor may also want to consult with a specialist and/or contact their cyber carrier, as there may be a larger problem with their email or computer system. For any email-based scheme, the insured may want to consult with their technology support service to determine whether additional controls can implemented, such as flagging email sent from IP addresses associated with countries that have high rates of Internet crime.
- Any communication with the sender about the email or wire transfer: The claim handler will want to verify that the purported sender of the email did not send or authorize the email. The insured’s communications with the sender may also reveal information such as the sender’s purported sender knowledge of irregular or suspicious activity in his/her email prior to the transfer request being sent. This information may be helpful to the insured in determining whether it wants to resubmit payment for the misdirected wire transfer, particularly in instances in which the loss is above the coverage limits. This information also may be helpful to the insured and insurer in determining recovery opportunities.
- Documentation that the purported sender is an “employee,” “customer,” or “vendor”: The claim handler will want to verify that the purported sender meets the definition of someone purporting to be an “employee,” “customer,” or “vendor,” each of which are typically defined terms. Regarding “customer” and “vendor,” most endorsements require the insured have a preexisting contract with these entities for it to be a “customer” or “vendor.” The simplest way to verify this is to request the relevant contract or other agreement between the insured and the purported sender.
- Written policy or other evidence of the verification procedure: If the endorsement requires a verification procedure, the claim handler will want to request evidence of this procedure to determine what the procedure was and to evaluate if it was followed. Some insureds, as part of the claims process, may also evaluate their verification procedure and modify it in light of how the social engineering scheme at issue occurred despite existing controls. The claim handler may therefore want to be prepared to address go-forward controls with the insured to avoid another incident.
- Evidence that the verification procedure was followed: If the endorsement requires a verification procedure, the claim handler will want to request a sworn statement or other evidence that the procedure was followed prior to the transfer.
- The wire transfer receipts, bank account statement and/or other proof of the wire transfer: The claim handler will need to review the transfer receipt(s) and/or other financial records to establish that the transfer was in fact made.
- The insured’s communications with the banks: The claim handler will want to review the insured’s communications with the bank, the bank receiving the wire transfer, and any institutions through which the funds were transferred. This information will help the claim handler verify that the funds were sent, confirm the amount of the transfer that could not be recovered or frozen, and obtain helpful information that could be used in recovery efforts if the claim is covered in whole or in part.
- Policy application: To obtain social engineering coverage, the insured typically must have certain controls in place to verify transfer instructions. The claim handler may want to verify that the representations made in the policy application were accurate, especially if the claim investigation indicates that the insured did not have controls for verifying transfer instructions.
- Police report and IC3 report: Most insureds tend to make both a report with their local police station and the FBI’s IC3. These reports may provide additional information and context for evaluating the claim.
- Cyber breach report: The insured may have obtained a cyber breach report. Such a report could provide additional information that might be helpful for understanding and evaluating the claim.
- Cyber Carrier: The claim handler will want to ask whether any other insurance carriers have been provided notice of the claim; and, if so, request to be provided with the contact information for the person handling the claim on behalf of that carrier and any coverage correspondence to the insured from that carrier.
- Additional information regarding the unique circumstances of the claim: Each claim is unique and may require additional information to fully understand the claim or evaluate the particular coverage issues implicated by the insured’s policy. The claim handler may want to request additional information to ensure that the claim is thoroughly and fairly evaluated.
Coverage for Social Engineering Is Distinct from Computer Fraud and Funds Transfer Fraud
Some insureds have elected not to purchase social engineering coverage or are faced with a loss in excess of the social engineering policy limits. These insureds often request that their claim be evaluated under other insuring agreements, most frequently the computer fraud and funds transfer fraud insuring agreements. ISO Insuring Agreement 6 provides:
6. Computer And Funds Transfer Fraud
a. We will pay for:
(1) Loss resulting directly from a fraudulent:
(a) Entry of “electronic data” or “computer program” into; or
(b) Change of “electronic data” or “computer program” within;
any “computer system” owned, leased or operated by you, provided the fraudulent entry or fraudulent change causes, with regard to Paragraphs 6.a.(1)(a) and 6.a.(1)(b):
(i) “Money”, “securities” or “other property” to be transferred, paid or delivered; or
(ii) Your account at a “financial institution” to be debited or deleted.
(2) Loss resulting directly from a “fraudulent instruction” directing a “financial institution” to debit your “transfer account” and to transfer, pay or deliver “money” or “securities” from that account.
As explained below, these insuring agreements provide distinct coverages that do not overlap with the social engineering endorsement. Some policies even state that a claim covered under the social engineering endorsement is not covered under any other insuring agreement.
Computer Fraud Requires a Hacking of the Insured’s Computer System
Computer fraud coverage is not a blanket coverage for any loss involving fraud and a computer. Instead, it distinguishes between the business risk of an insured’s acceptance of information electronically and the risk posed by a hacking of the insured’s computer system by requiring proof of a direct loss from a “fraudulent entry” or a “fraudulent change” to electronic data or a computer program. To that end, the typical insuring agreement places “fraudulent” before “[e]ntry” and “[c]hange,” thereby restricting coverage to a hacking, an unauthorized access, or other violation of the integrity of the insured’s computer system, and not merely fraudulent information that happens to be conveyed electronically:
[The] reference to “fraudulent” does not also qualify what is actually acted upon, namely the “electronic data” or “computer program” itself. The intentional word placement of “fraudulent” before “entry” and “change” manifests the parties’ intent to provide coverage for a violation of the integrity of the computer system through deceitful and dishonest access.
Accordingly, when evaluating email-based social engineering claims under the computer fraud insuring agreement, courts recognize that the mere receipt of an email (even one containing false information) is not an “unauthorized entry” within the meaning of the insuring agreement. In Sanderina, LLC v. Great American Insurance Co., the court noted:
[T]his record does not support a finding that merely sending an email to a Sanderina employee constituted direct access to Sanderina’s computer system. Sanderina’s 30(b)(6) representative testified that neither it nor Network Security found any evidence that the perpetrator accessed Sanderina’s computer system. In its opposition, Sanderina conjectures a “high likelihood” that the perpetrator may have accessed Sanderina’s computer system to “case the joint” because the emails were signed “Vic” and sent during the CEO’s vacation. But Sanderina is required to “produce evidence of a genuine dispute of material fact that could satisfy its burden at trial,” and Sanderina’s speculation is not evidence. Because a reasonable person could not find on this record that the perpetrator directly accessed Sanderina’s computer system, there is no genuine dispute of material fact for trial based on the computer-fraud provision.,
The direct-loss requirement, explained below, further restricts the causal connection required between the hacking and the insured’s loss. This requirement means that coverage for computer fraud does not extend from the receipt of an email with fraudulent payment information to the decision to transfer funds based on that email, and then to the insured’s sending of the wire transfer.
The “Knowledge or Consent” Requirement Precludes Coverage for a Transfer the Insured Elected to Send, Even If It Was Sent Under False Pretenses
Although some variation exists across policies in how this is accomplished, computer fraud and funds transfer fraud insuring agreements exclude coverage for a transfer effectuated through social engineering. Exclusion 4.d., which applies to computer fraud and funds transfer fraud provides:
4. Insuring Agreement A.6 does not cover: . . .
d. Fraudulent Instructions
Loss resulting from an “employee” or “financial institution” acting upon any instruction to:
(1) Transfer, pay or deliver “money”, “securities” or “other property”; or
(2) Debit or delete your account; which instruction proves to be fraudulent,
except when covered under Insuring Agreement A.6.a.(2) or A.6.b.
Insuring Agreement A.6.a.(2), funds transfer fraud, is not intended to cover social engineering fraud. The definition of “fraudulent instruction” in the agreement requires an instruction to be issued “without your knowledge or consent.” Other policies place the “knowledge or consent” requirement elsewhere in the insuring agreement or definition so that it applies to all of Insuring Agreement A.6. The claim handler therefore must look to the insuring agreements, definitions and exclusions to determine how the policy restricts coverage for social engineering.
Regardless of the precise policy language, courts generally interpret this requirement as written. For example, the Fifth Circuit recently held that the “knowledge or consent” requirement, which was included in the funds transfer fraud insuring agreement, must be interpreted as written to preclude coverage for a transfer made with the insured’s knowledge, even if the transfer was made in reliance on false information:
[T]he Social Engineering Fraud provision specifically contemplates situations in which an employee relies in good faith on a fraudulent instruction. The Computer Transfer Fraud provision does not. Instead, the Computer Transfer Fraud provision specifically disclaims coverage for transfers made with the insured’s knowledge. Had Axis intended to provide coverage in instances of Computer Transfer Fraud when MSH knew of the transfer but, in good faith, believed it to be legitimate, that provision would have said so.
The claim handler, when asked to evaluate an email-based social engineering claim under the computer fraud or funds transfer fraud insuring agreement, should consider the impact of the “knowledge or consent” requirement on the claim, as this requirement generally precludes coverage for a transfer the insured elected to send, even if the transfer was sent under false pretenses. In addition, the claim handler should consider any exclusions in the policy. Many policies contain additional “funneling” exclusions that further explain the coverage provided by excluding coverage for any claim that is covered under a fraudulent impersonation or other social engineering endorsement.
Significantly, social engineering losses are not covered under the funds transfer fraud insuring agreement for the additional reason that the funds transfer fraud insuring agreement requires the financial institution to have received the fraudulent instruction and to have debited the insured’s account, a situation not typically implicated in social engineering schemes.
The “Resulting Directly from” Requirement Restricts Coverage to Losses that Flow Immediately from the Hacking or Fraudulent Instruction
Computer fraud and funds transfer fraud require the insured to incur a loss of money, securities or other property “resulting directly from” the hacking of the insured’s computer system or the fraudulent instruction to the financial institution. This requirement provides that the perpetrator must input the transfer or instruction, as the insured’s consideration of information (even fraudulent information received under false pretenses) breaks the direct causal chain required by the policy’s plain language:
The email was sent only after Apache’s advising, in reply to the criminals’ change-request telephone call, that the request had to be made on Petrofac letterhead. The criminals complied: by attaching to the email (sent using a slightly different domain name) a letter on altered letterhead; and, as stated in the email, by allegedly mailing that letter to Apache. Accordingly, the computer-use was in response to Apache’s refusing, during the telephone call, to, for example, transcribe the change-request, which it could have then investigated with its records.
No doubt, the better, safer procedure was to require the change-request to be made on letterhead, especially for future payment of Petrofac’s very large invoices. But the request must still be investigated properly to verify it is legitimate. In any event, based on the evidence in the summary-judgment record, Apache followed-up on the request in the email and its attachment. In other words, the authorized transfer was made to the fraudulent account only because, after receiving the email, Apache failed to investigate accurately the new, but fraudulent, information provided to it.
Moreover, viewing the multi-step process in its simplest form, the transfers were made not because of fraudulent information, but because Apache elected to pay legitimate invoices. Regrettably, it sent the payments to the wrong bank account. Restated, the invoices, not the email, were the reason for the funds transfers.
For this reason, many courts interpreting “resulting directly from” in the context of an email-based social engineering claim find the number of steps between the email and the wire transfer especially informative:
The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. . . but one step in [the insured]’s multi-step, but flawed, process that ended in its making required and authorized, very large invoice-payments, but to a fraudulent bank account.
. . . [V]iewing the multi-step process in its simplest form, the transfers were made not because of fraudulent information, but because [the insured] elected to pay legitimate invoices. Regrettably, it sent the payments to the wrong bank account. Restated, the invoices, not the email, were the reason for the funds transfers.
. . .
[The insured] admits that its employees, eight days after receiving the emails, affirmatively logged onto its bank’s website and created, processed, reviewed, authorized and released the wire transfer. These facts demonstrate that the loss did not result immediately from the alleged hacking, negate proof of causation and mandate summary judgment for Federal.
This “direct-means-direct” analysis is a fundamental principle of commercial crime and related first-party insurance policies. In the context of an email-based social engineering scheme, this language requires an immediate nexus between the hacking and the claimed loss. However, some courts have imported tort-based proximate causation concepts to interpret these policy forms. Although tort-based causation concepts may be useful for interpreting coverage under casualty policies, which are “written with a different intent” to “cover[ ] accidental injury both to person and to property,” these principles are not applicable to first-party coverage disputes arising under financial institution bonds or commercial crime policies. The proper analysis is contract-based and determines whether the claimed loss resulted immediately from the covered risk, which in this case requires a hacking of a covered computer system.
Two opinions from the Eleventh Circuit that articulated seemingly different standards, even when applying the same state law, illustrate this issue. For example, in Interactive Communications International, Inc. v. Great American Insurance Co., a case involving electronic “chits” that can be loaded on reusable debit cards, the Eleventh Circuit explained that “for purposes of InComm’s policy, one thing results ‘directly’ from another if it follows straightaway, immediately, and without any intervention or interruption . . . .” However, the following year, in Principle Solutions Group, LLC v. Ironshore Indemnity, Inc., the Eleventh Circuit explained, in a coverage dispute over a social engineering loss resulting from a fraudulent emailed wire instruction, that “the ordinary meaning of the phrase ‘resulting directly from’ requires proximate causation between a covered event and a loss, not an ‘immediate’ link.” The “direct loss” issue can therefore be nuanced as courts have assigned slightly different interpretations to the term. Therefore, it may be prudent to consult with outside counsel if presented with a claim with potentially nuanced direct-loss issues or in a jurisdiction that may apply a “proximate cause” test.
Coverage Is Limited to the Insured’s Property
Commercial crime policies limit coverage to the insured’s property or property that the insured is holding or for which it is legally liable. This limitation is explained in the following ownership condition:
The property covered under this Policy is limited to property:
(1) That you own or lease;
(2) That is held by you in any capacity; or
(3) For which you are legally liable, provided you were liable for the property prior to the time the loss was sustained.
However, this Policy is for your benefit only. It provides no rights or benefits to any other person or organization. Any claim for loss that is covered under this Policy must be presented by you.
When the insured transfers money, the money will often meet these requirements. However, as more insureds retain information electronically (such as electronic codes or other electronic values), the analysis of whether the property is covered and who owns it becomes more nuanced. The claim handler may want to consult the ownership condition and the policy definitions of covered property to complete his/her analysis, especially when presented with a claim that implicates a non-traditional or electronic property that may otherwise be covered under the policy.
Overlapping Coverage
With coverage under the social engineering endorsement, a commercial crime policy frequently overlaps with fraudulent instruction coverage under a cyber policy. It is important to verify that the insured has made a claim under all potentially applicable policies to ensure that the insured obtains the maximum coverage available and any covered loss is properly allocated. This is accomplished through the “other insurance” provision, which explains how coverage is allocated when the policy is written as primary insurance or excess insurance.
Pursuant to the “other insurance” provision, the claim handler must first evaluate the order of payment of the policies to determine if another applicable policy should pay first. Pursuant to the “other insurance” provision, the primary policy or other policy provided for in Condition o.(1)(b) should first pay the loss covered under that policy, with any overlapping coverage allocated in accordance with the proportion of the applicable limit of insurance to the total limit of all applicable insurance also covering that loss on a primary basis. After the primary policy is applied, excess insurance may be available for a loss that exceeds the limit of insurance and deductible of the other insurance, whether or not that insurance is collectable. The “other insurance” provisions exist to provide guidance on which policy should pay and to solve the issue of “over-insurance,” in which an insured may have insurance in excess of its loss amount. “Other insurance” disputes may also implicate the principle of equitable contribution, which is the right of an insurer that has paid more than the amount properly allocated to it under a pro rata allocation, in which each insurer’s responsibility is determined in proportion to the amount of coverage available for the loss under each policy.
Recoveries and Other Considerations
Many insurers elect to receive a formal assignment from the insured and pursue recovery as both a subrogee and assignee. Social engineering and cyber-based losses implicate unique recovery opportunities and theories. The potential sources of recovery may include a technology services company that failed to provide adequate protections to prevent a compromise of the insured or vendor, against which the compromised party has breach of contract and/or tort claims. The bank sending or the bank receiving wire transfers may bear some liability, especially to the extent the bank failed to use appropriate security procedures to safeguard its customer accounts or incorrectly processed the wire transfer. Finally, there may be claims against the impersonated or compromised party, based on failure to exercise ordinary care in conducting business transactions or for breach of contract. Although a litany of potential recovery theories exist, we will focus on potential recoveries against a vendor or customer, as these issues are most frequently of interest to insureds and a new area of potential recovery.
As email-based social engineering schemes have proliferated, so have the business-to-business disputes over which entity should bear the loss. Indeed, as any experienced claim handler knows, both the impersonated party and the party that sent the wire transfer potentially were negligent to some degree. For example, after a wire transfer is sent to a third-party bank account, the entity that was hacked or spoofed may admit that something seemed “off” about their email or that other customers had received strange emails. At the same time, the entity that sent a wire transfer may have violated an internal policy requiring verification of transfer requests via telephone, or even may have internal emails commenting on how a change of payment request is odd or should be verified. Insureds may want to evaluate whether they want to resubmit the entire amount of the misdirected wire transfer or whether they want to negotiate a discount on the amount, especially if they have an excess loss. In such a situation, the claim handler may want to be involved to some extent to ensure the carrier’s subrogation rights are not impaired. Where the insured does not negotiate a discount, a recovery action may still be appropriate, especially when the vendor was hacked or extremely negligent.
The cases addressing vendor or customer liability primarily focus on (1) a judicially created theory imposing a duty to exercise ordinary care in conducting business transactions that draws on the Uniform Commercial Code (UCC) § 3-404(d) (the imposter/fictitious payee rule for negotiable instruments); and (2) a breach of contract theory based on an agreement to safeguard accounts or information. The viability of recovery depends on the strength of the facts supporting each party’s negligence, the contract at issue, and the applicable law.
Arrow Truck Sales, Inc. v. Top Quality Truck & Equipment, Inc. is one of the first cases to apply UCC § 3-404(d) to apportion fault for an email-based social engineering scheme. In Arrow, a truck purchaser sent a wire transfer to a third-party bank account based on fraudulent emailed wire instructions. Although the seller had originally provided the correct wire transfer instructions, a third party compromised the seller’s email account and used that account to send “updated” wire instructions directing payment to an out-of-state bank. The U.S. District Court for the Middle District of Florida conducted a bench trial in which it made the factual finding that neither party was negligent in its maintenance of its email accounts; both the buyer and seller’s email accounts had been hacked; and the buyer was in the better position to discover the fraud based on the timing of the emails and the fact that the fraudulent wire instructions involved a different beneficiary, bank, location, and account information from all of the prior wire instructions. The court found it significant that the most recent wire instructions received from the purchaser were the correct instructions. With no applicable case law, the court turned to U.C.C. § 3-404(d) (the imposter/fictitious payee rule for negotiable instruments) to find the purchaser should bear liability for the wire transfer because it was in the best position to prevent the fraud:
[C]ases in the banking context dealing with third party “imposters” and forged checks . . . are helpful to resolve this issue. Under the “imposter rule,” the party who was in the best position to prevent the forgery by exercising reasonable care suffers the loss. See, e.g. UCC § 3-404(d); State Sec. Check Cashing, Inc. v. Am. Gen. Fin. Servs., 409 Md. 81, 972 A.2d 882 (Md. App. 2009).
Here, the Court made findings of fact that Lombardo was in the best position to prevent the fraud. As explained above, Lombardo received fraudulent wire instructions from the third-party fraudster. The instructions involved completely different information from all of the previous instructions. Rather than question this information, which differed from past instructions and identified a different bank, location, and even a different beneficiary, Lombardo testified that he did not care where the wires went and that it was not his business to question the information. Lombardo still did not question the wire instructions, even after receiving the correct instructions contained in the two invoices on February 12, 2014, prior to the money being sent. In other words, the most recent wire information Gelfo provided to Lombardo was legitimate; but the wires were still sent based on the prior fraudulent instructions.
The majority of courts considering liability for email scams have applied the same comparative-fault analysis as Arrow.
In Bile v. RREMC, LLC, a fraudster misdirected a settlement payment for an employment discrimination case. After the parties reached an agreement on the payment arrangements, the plaintiff’s attorney received an email from an “aoi” domain that otherwise matched his client’s AOL email address. This email contained instructions for wire transferring the settlement to an account in the client’s name in London. After confirming that the client did not send the email, the plaintiff’s attorney deleted the email because he believed it was fraudulent. Thereafter, the email account of the plaintiff’s attorney was compromised and used to send an email to the defendant’s attorney requesting the same change in payment information. After receiving this fraudulent email, the defendant wired the funds as requested in the email.
Bile also looked to the same UCC comparative fault analysis as Arrow, even though “Article 3 by its terms governs only negotiable instruments, not contract disputes or wire transfers” because “Article 3 is persuasive in areas on law in which it does not directly govern,” and the parties agreed. Applying the UCC §§ 3-404 and 3-406 “ordinary care” principles, the court found it significant that the plaintiff’s attorney knew about the earlier fraudulent email, the email was from the attorney’s actual email address, and the wire transfer was made pursuant to a pre-existing payment request repeatedly discussed via email and phone. Based on these facts, the plaintiff bore responsibility for the misdirected wire transfer, and the defendant was not required to resubmit payment.
The Sixth Circuit applied the same principles in Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., in which it reversed a decision from the U.S. District Court for the Southern District of Ohio. The district court had required an auto dealership, which had wire-transferred funds to a third-party bank account based on an email with false information, to resubmit the payment. The Sixth Circuit’s decision drew heavily on Arrow and Bile, explaining that the decisions “illustrate the principle that losses attributable to fraud should be borne by the party in the best position to prevent the fraud.” The trial court had erroneously viewed the case as simply the purchaser’s failure to pay its supplier. Instead, the Sixth Circuit explained that, as in Arrow and Bile, UCC Article 3 principles should have been applied and the district court should have made a factual finding regarding the parties’ failure to exercise ordinary care and how their negligence contributed to the loss.
The victims of email scams have also turned to contract law, both to pursue and defend against disputes regarding email scams. In 2 Hail, Inc. v. Beaver Builders, LLC, the Colorado District Court, Eighteenth Judicial District, Arapahoe County, rejected the analysis from the Arrow line of cases, explaining that it could not import UCC Article 3 principles into a business transaction. However, the court stressed the need for guidance in this area:
This Court is troubled by an attempt to combine the common law of contracts with the statutory law governing negotiable instruments as set forth in Article 3 of the Uniform Commercial Code. A hacked email transmitting a fraudulent invoice is not a negotiable instrument or even the transmittal of a negotiable instrument. It is a fraudulent act by a con man. This Court declines to adopt the rationale from the Bile opinion.
That being said, this Court is equally troubled by the lack of developed legal authority addressing the issue of whether parties to a business transaction have a duty to each other to take reasonable steps to protect themselves and others from hacking attacks by unscrupulous third-party criminals; and whether a breach of any such duty may relieve a party of its contractual obligations, or perhaps, expose the breaching party to liability in tort, or perhaps through a legislative extension of the Colorado Uniform Commercial Code to cover such conduct.
Therefore, even though the fraudulent wire instructions were sent from the subcontractor’s email account and evidence of negligence existed on the part of both parties, the Colorado court held that the general contractor had to resend the full payment as the subcontractor had performed its contractual duties but not been paid.
In Landale Signs & Neon, Ltd. v. Runnion Equipment Co., the U.S. District Court for the Northern District of Illinois allowed a dispute over liability for a misdirected wire transfer to proceed past the pleadings stage on a breach-of-contract theory. In that case, the purchaser of a truck-mounted crane wire transferred the purchase price to a third party based on fraudulent wire instructions purportedly sent from the seller. Landale Signs involved the unusual situation in which both parties knew of issues with the seller’s email account, but nonetheless proceeded to complete the transaction primarily via email. The purchaser alleged that, during the negotiations, he had asked the seller about why his responses were delayed. The seller responded that an unknown third party had previously intercepted emails during a prior transaction (which did not result in a loss) and that there could be some interference with his account. The parties continued to transact the deal over email, but with the seller allegedly agreeing to safeguard its account.
The purchaser brought negligence claims, but the court held that the purchaser’s negligence claims failed under Illinois law, which does not recognize a common-law duty to safeguard another party’s confidential information. The court did, however, allow the purchaser to proceed on claims for breach of express and implied contract based on the theory that the seller “agreed to complete the transaction with the intent to safeguard any sensitive information from disclosure to third parties,” and the “parties’ mutual intent constitute[d] a meeting of the minds regarding safeguarding sensitive information from disclosure to third parties.”
This case law demonstrates that many courts are allowing disputes regarding liability for a wire transfer sent as a result of an email-based social engineering scheme to proceed under either a negligence-type theory (generally based on a UCC Article 3 comparative fault analysis, even though this section applies to negotiable instruments, not wire transfers) or a breach-of-contract theory if the plaintiff can allege a duty (such as the duty to safeguard an email account). The claim handler will want to consider these legal theories in determining whether a recovery action is appropriate after a paid claim.
Conclusion
Email-based claims are becoming more common. Claim handlers should ensure that they are familiar with the basic elements of a social engineering claim—a loss resulting directly from the insured having made a transfer in reliance on a fraudulent instruction purportedly issued by an employee, customer or vendor (depending on the coverage offered by the endorsement). The claim handler should be well-versed in why these claims are not covered under computer fraud or funds transfer fraud coverages. A social engineering claim does not implicate these coverages because (1) computer fraud coverage requires a hacking of the insured’s computer system and the mere receipt of an email is not an unauthorized entry within the meaning of the insuring agreement; (2) most policies exclude coverage for a transfer effectuated through social engineering through a “knowledge or consent” requirement or exclusion that precludes a transfer the insured knowingly sent, even if the transfer were induced through false pretenses; and (3) the “direct loss” requirement precludes coverage due to the number of steps between the insured’s receipt of the false email, its decision to transfer money, and the entering and sending of the transfer. In addition, many policies contain a “funneling” exclusion that precludes coverage for any claim covered under a Fraudulent Impersonation or other social engineering endorsement.
Email-based social engineering claims frequently implicate additional considerations. Insureds may have coverage for these claims under both cyber and crime policies, making it important that the claim handler be familiar with how the loss is properly allocated across policies. An understanding of the different techniques the perpetrators of these schemes currently are using—similar domains, spoofing and email intrusion—will help the claim handler address the unique issues implicated by these claims. Indeed, depending on the scheme used, the claim handler may want to request different types of information to fully evaluate the claim. If the perpetrator used email intrusion and/or the vendor or customer was particularly negligent or agreed to maintain the security of its email system, it may be appropriate to discuss with the insured whether it wants to resubmit payment or negotiate an allocation of the misdirected funds, particularly if the insured’s loss exceeds the coverage limits. If the claim is covered, the insurer may also want to consider this information to determine whether the claim is a good candidate for a recovery action.