Should your crime insurance policy cover computer crimes? Not long ago, both the Second and Sixth Circuit courts of appeal ruled that phishing-related losses are covered. Now, the Eleventh Circuit has also found that phishing losses are covered by a crime policy that includes “fraudulent instructions.”
Phishing is a scam where a fraudster attempts to manipulate a victim through use of emails or fake websites. Typically, the goals are to get the victim to transfer money into the fraudster’s control or to give access to information in computer systems.
In the case before the Eleventh Circuit, a con artist sent an email to the controller of a company called Principle Solutions Group, LLC. The email, purporting to be from the managing director, instructed her to work with a particular lawyer, who was in on the scheme, to make a wire transfer in connection with an acquisition. The scammer impersonating the lawyer then emailed wire transfer instructions to the controller.
Amazingly, the scam went forward despite being flagged by Wells Fargo’s fraud protection service. The bank contacted the controller for verification of the wire transfer. The controller, still believing the fake lawyer, confirmed the transfer and had Wells Fargo remove its hold. $1.7 million was transferred to a Chinese account. The entire scheme was completed in about two hours.
Is this covered by insurance?
Principle’s insurance policy covered “[l]oss resulting directly from a fraudulent instruction directing a financial institution to debit [Principle’s] transfer account, and transfer, pay or deliver money or securities from that account.”
Specifically, a “fraudulent instruction” was defined as an “electronic or written instruction initially received by [Principle], which instruction purports to have been issued by an employee, but which in fact was fraudulently issued by someone else without [Principle’s] or the employee’s knowledge or consent.”
The insurer quibbled over whether the scheme actually fit the definition of a “fraudulent instruction” since the fake attorney was not pretending to be a Principle employee. The Eleventh Circuit ruled that the scheme did meet that definition because one of the participants pretended to be the company’s managing director and the other emails were in furtherance of the same scheme.
The insurer also argued that the loss did not result “directly” from the fraudulent instruction. The Eleventh Circuit ruled that the loss did result directly from the fraudulent instruction and was covered by the policy.
If you lose money to a phishing scheme, there are now three precedents finding that such losses are covered by policies protecting against “computer fraud” and “fraudulent instruction.” None comes directly from the 10th Circuit, which covers Oklahoma, but courts here would likely find their peers’ conclusions persuasive.