Is There a Glitch in Insurance Coverage for Social Engineering Scams?

James S. Carter

Social engineering scams seeking to deceive companies into making wire transfers to fraudulent bank accounts continue to plague companies. According to the FBI, social engineering fraud costs businesses billions of dollars each year. On top of the lost funds, social engineering scams can lead to substantial investigation costs and even litigation.

Many businesses trust their crime or fidelity insurance policies to protect them from social engineering losses. Insurers, however, take the position that such policies do not cover all social engineering scams. Depending on the type of social engineering scam or how it happens to play out, insurers may deny coverage, depriving the policyholder of valuable insurance protection.

Scammers Employ Various Social Engineering Tactics

Gone are the days when scammers sent clumsy e-mails that were obviously attempts at fraud. According to a recent article on Threatpost,[2] one reason social engineering scams remain a persistent and potent threat is that scammers are now using various and increasingly elaborate social engineering techniques to perpetrate their scams, including:

      • Executive Impersonation: The scammer sends e-mails that appear to be from a company executive instructing an employee to wire funds to the scammer’s bank account. A variation on this tactic involves impersonating other individuals who appear to be closely associated with senior management, such as a trusted adviser or outside legal counsel.
      • Vendor Compromise/Conversation Hacking: The scammer sends an e-mail that appears to be from a vendor, advising the insured’s employee of a recent change in the vendor’s bank account and instructing the employee to send future payments to the “new” account. Sometimes, scammers hack into the vendor’s e-mail system (or gain access to it with the help of a rogue insider) and send e-mails directly from the vendor’s e-mail system, thus inserting themselves directly into an e-mail conversation between the vendor and the insured.
      • Customer/Client Impersonation/Hacking: Similar to vendor compromise, this version of the scam relies on impersonating a customer or client. The scammer may request a refund and direct that funds belonging to the client be transferred to a fraudulent bank account. Scammers sometimes even gain access to the customer’s computer system and send e-mails directly from the customer’s account.
      • Employee Compromise: The scammer hacks into the company’s computer system and sends e-mails from an employee’s e-mail address to a customer, client, or business partner, with instructions to transfer funds to the scammer’s bank account.
      • Credential Phishing: The scammer sends an e-mail that appears to be from a recognized source that prompts the employee to disclose computer login credentials. The scammer then uses the credentials to gain access to the employee’s e-mail account and the company’s computer system.

Insurers May Deny Coverage Based on Social Engineering Tactics

Different social engineering scams may have the same result—funds irretrievably transferred to a fraudulent bank account. Nonetheless, crime and fidelity insurers sometimes draw distinctions among covered and noncovered scams based on how the scam is carried out.

For example, some insurers contend that commercial crime coverage only applies when scammers impersonate a senior executive at the insured’s company. For example, in Principle Solutions Group LLC v. Ironshore Indemnity, Inc., an insurer argued against coverage because the scammer happened to impersonate outside legal counsel, as opposed to one of the insured’s own employees.[3]

In Posco Daewoo America Corp. v. Allnex USA, Inc., a scammer sent e-mails to the insured’s customer, instructing the customer to send payments to fraudulent accounts. [4] The insurer denied coverage on the ground that the insured allegedly did not own the funds.

In Cincinnati Ins. Co. v. Norfolk Truck Ctr., Inc., after receiving a fraudulent payment instruction seemingly from a supplier, the insured took steps over several days to arrange for the wire transfer.[5] The insurer denied coverage, alleging that the loss was not caused “directly” by computer fraud.

Insurers may now offer social engineering fraud coverage, which is specifically marketed to cover social engineering scams. Yet some insurers may deny coverage on the basis that social engineering coverage applies only in certain situations. For example, insurers may contend that social engineering fraud coverage only applies when the scammer impersonates one of the insured’s executives, directs the fraudulent instructions to one of the insured’s employees, or causes the transfer of funds from the insured’s account (as opposed to a vendor’s or customer’s account).

Policyholders Should Pursue a Comprehensive Coverage Strategy

To policyholders, insurers’ denials of coverage based on the type of social engineering method used or how the fraud happens to unfold seem completely arbitrary. Coverage should not depend on factors that are within the scammers’ discretion.

What can policyholders do when their insurer denies coverage?

First and foremost, policyholders should carefully analyze their commercial crime policies, including the policy language, the relevant facts, and the applicable case law. A denial may not be as airtight as the insurer may attempt to lead the policyholder to believe. For instance, a policy may be ambiguous on its face or as applied in particular circumstance. Some courts have rejected insurers’ attempts to deny coverage based on how the social engineering scam was carried out or unfolds.[6]

In some situations, however, policyholders should look beyond their commercial crime policy to other types of insurance policies. In the aftermath of a social engineering loss, businesses may incur significant forensic investigation costs as they attempt to find out what happened and whether their computer security was compromised. Cyberinsurance may help defray such costs.

Sometimes, social engineering scams snowball into litigation, resulting in substantial defense costs and liability for settlements or judgments. This may happen if, for example, the lost funds belonged to a customer, vendor, or a third party. D&O, E&O, or other forms of liability insurance may provide coverage for such liabilities. For example, in Quality Sausage Co. LLC v. Twin City Fire Insurance Co., a court found that a D&O insurer had a duty to defend a policyholder who was tricked into transferring a customer’s funds to fraudulent bank account.[7]

Policyholders need not wait for a social engineering loss to lay the groundwork for a successful insurance claim. Policyholders can review their insurance policies to gauge whether their insurer might have a basis to deny coverage for losses based on the type of social engineering method used and whether they should request changes to their policy or shop for another policy.

Conclusion

In an ideal world, insurance coverage for social engineering losses would not hinge on what techniques the scammers choose to carry out their frauds. If and until that day comes, policyholders should pursue a comprehensive strategy to securing (and maximizing) coverage for social engineering losses by (1) carefully evaluating the insurer’s bases for denying coverage and (2) considering all policies that may provide coverage, including their cyber, D&O, and E&O insurance policies.


[1] Kate Fazzini, “Email wire fraud is so simple for criminals to pull off, it’s cost companies $26 billion since 2016, says FBI,” Sept. 11, 2019, cnbc.com/2019/09/11/email-wire-fraud-cost-26-billion-since-2016-says-fbi.html.

[2] Evan Reiser, “Understanding the Payload-Less Email Attacks Evading Your Security Team,” June 4, 2020, threatpost.com/understanding-payload-less-email-attacks/156299.

[3] Principle Solutions Group LLC v. Ironshore Indemnity, Inc., 944 F.3d 886 (11th Cir. 2019).

[4] Posco Daewoo Am. Corp. v. Allnex USA, Inc., 2017 U.S. Dist. LEXIS 180069, at *11-12 (D.N.J. Oct. 31, 2018).

[5] Cincinnati Ins. Co. v. Norfolk Truck Ctr., Inc., 430 F. Supp. 3d 116 (E.D. Va. 2019).

[6] See Norfolk Truck Ctr., Inc., 430 F. Supp. 3d at 131 (“The fact that multiple actors are involved in preparing the financial documents does not change the fact the preparation and payment was initiated and completed by the fraudulent transfer of money by the use of a computer.”); American Tooling Center, Inc. v. Travelers Cas. & Surety Co. of Am, 895 F.3d 455 (6th Cir. 2018).

[7] See Order dated September 18, 2019 (Doc. No. 110), Quality Sausage Co. LLC v. Twin City Fire Ins. Co., 4:17-CV-111 (S.D. Tex.) (D&O insurer had a duty to defend a policyholder who was tricked into transferring a customer’s funds to fraudulent bank account); SS&C Tech. Holdings, Inc. v. AIG Specialty Ins. Co., 2020 U.S. Dist. LEXIS 17201 (S.D.N.Y. Jan. 31, 2020).