Print

Phishing Scam is Not Covered Computer Fraud Under Commercial Crime Policy

Adding to the limited number of appellate opinions in the cyber arena, the Fifth Circuit recently found that losses caused by a phishing scam did not trigger coverage under a commercial crime policy’s computer fraud provision. The court’s decision in Apache Corp. v. Great American Insurance Co. reinforces the need for specialized coverage for social engineering attacks.1

What are social engineering attacks?

Social engineering attacks rely on human interaction and the scammer’s social skills to surreptitiously obtain information. Phishing scams, a type of social engineering attack, involve the use of email or malicious websites to obtain personal or corporate information. Often, the scammer assumes a trustworthy persona to solicit information and, when the target responds, the attacker uses the information to access financial accounts. Unlike traditional cyber-attacks—which exploit technology and system-based vulnerabilities—social engineering scams exploit human vulnerabilities and can be difficult to safeguard against.

According to a recent study that surveyed the impact of social engineering attacks on organizations across a wide array of industrial sectors in the United States, 60% of respondents reported that their organizations were or may have been victims of a targeted social engineering attack in the past year. Of these attacks, 65% involved compromised employee credentials and 17% involved breached financial accounts.2
 
Apache Corp. v. Great American Insurance Co.

In this coverage dispute, the Fifth Circuit interpreted a computer fraud provision—often used in the fidelity insurance industry—and concluded there was no coverage for a multi-faceted social engineering scam that did not result directly from computer use. In March 2013, an individual impersonating one of Apache’s vendors called an employee in Apache’s accounts’ payable department and instructed the employee to change the vendor’s bank account information. The Apache employee advised that a formal written request on the vendor’s letterhead was required.

A week later, the accounts’ payable department received an email from an account that was similar to the vendor’s email address. This email included as an attachment a signed letter on the vendor’s letterhead instructing Apache to change the bank account information and providing new wiring instructions. An Apache employee called the number on the vendor’s letterhead and an imposter confirmed the authenticity of the request. Apache then approved and completed the change. It deposited roughly $7 million into the phony account before discovering the fraud. Though Apache recovered a substantial portion of these funds, it lost roughly $2.4 million.

Apache brought a claim for $1.4 million, its loss after the deductible, under the Computer Fraud provision in its commercial crime policy with Great American.  
This provision provided coverage for losses:

[R]esulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises:

a. to a person (other than a messenger) outside those premises; or

b. to a place outside those premises.

Apache claimed its loss was covered because the phishing email directly caused the transfer of funds. Great American denied the claim, stating the “loss did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds.” The district court granted Apache’s motion for summary judgment, stating “the intervening steps of the [post-email] confirmation phone call and supervisory approval do not rise to the level of negating the email as being a ‘substantial factor.’”

The Fifth Circuit disagreed, finding that the loss did not result directly from the computer fraud and vacating the judgment for Apache. In holding that Apache’s loss did not trigger the Computer Fraud coverage, the court stated:

The email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money. To interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would . . . convert the computer-fraud provision to one for general fraud.

The phishing email was “but one step in Apache’s multi-step, but flawed, process that ended in its making required and authorized, very large invoice-payments, but to a fraudulent bank account.”

On November 21, 2016, the Fifth Circuit denied Apache’s motion for reconsideration without comment.3 On December 13, 2016, it denied Great American’s motion to publish the opinion without comment.4

Why the Opinion Matters

Technology and the methods of those who seek to exploit it are evolving faster than the industry and the courts can respond. In Apache, the court took judicial notice “that, when the policy was issued in 2012, electronic communications were, as they are now, ubiquitous, and even the line between ‘computer’ and ‘telephone’ was already blurred.” Against this backdrop, the Fifth Circuit’s decision helps provide certainty and set boundaries for the scope of computer fraud coverage—a standard provision used throughout the fidelity insurance industry. It reaffirms the original intent and scope of this coverage—to provide indemnification for fraudulent acts that are the direct result of computer use (e.g., hacking and unauthorized computer use). Apache confirms that the coverage stops short of multi-faceted social engineering schemes where email is only one component of a complex scam.

As social engineering fraud increases and continues to evolve, policyholders face an increased risk for losses that likely will not trigger coverage under computer fraud and funds transfer provisions. Apache confirms that there is a market for specialized coverage for social engineering schemes and this market will only continue to grow as all industry participants respond to ever-changing cyber security risks.   



1 Apache Corp. v. Great Am. Ins. Co., No. 15-20499, 2016 WL 6090901, 2016 U.S. App. LEXIS 18748 (5th Cir. Oct. 18, 2016).

2 AGARI DATA, INC., EMAIL SECURITY: SOCIAL ENGINEERING REPORT (Nov. 30, 2016), available at https://www.agari.com/project/report-email-security-social-engineering-survey/?pr.

3 Order on Pet. for Rehearing, Apache Corp. v. Great Am. Ins. Co., No. 15-20499 (5th Cir. Nov. 21, 2016).

4 Order on Mot. to Publish Opinion, Apache Corp. v. Great Am. Ins. Co., No. 15-20499 (5th Cir. Dec. 13, 2016).

The articles on our Website include some of the publications and papers authored by our attorneys, both before and after they joined our firm. The content of these articles should not be taken as legal advice.