Phishing and Fraudulent Instructions Under a Commercial Crime Policy
Warnings are plentiful about phishing schemes where a bad actor pretends to be an officer of a company and directs an employee to wire transfer funds to a foreign bank. Despite these warnings, employees regularly fall for these phishing schemes and wire funds to off-shore accounts never to be seen again. Companies that fall victim to these phishing attacks often turn to their insurance policies for a recovery. Among the insurance policies that might provide coverage is the commercial crime policy, which provides coverage for losses directly related to fraudulent instructions. In a recent case, the 11th Circuit was asked to determine whether coverage existed as a matter of law.
In Principle Solutions Group, LLC. v. Ironshore Indemnity, Inc., No. 17-11703 (11th Cir. Dec. 9, 2019), the policyholder fell victim to a phishing scheme where the bad guys sent the policyholder’s controller an email purportedly from the managing director instructing the controller to wire money as instructed by an “attorney” allegedly working on a secret key acquisition for the policyholder. The controller followed the directions and ultimately wired significant sums to a Chinese bank. Before the policyholder’s bank issued the wire, the bank’s fraud unit intervened and held the wire. The controller contacted the “attorney” who confirmed that the managing director had approved the transaction. Upon receiving that information, the bank released the wire. Of course, it was all a fraud and the managing director knew nothing about it.
The policyholder sought coverage under its commercial crime policy, which covered “[l]oss resulting directly from a fraudulent instruction directing a financial institution to debit [the policyholder’s] transfer account and transfer, pay or deliver money or securities from that account.” The insurance company denied coverage because the managing director’s purported email did not direct a financial institution to wire the funds, but only told the controller to await the attorney’s instructions. The insurance company also stated that the loss did not result directly from a fraudulent instruction because of intervening communications after the initial email, including the bank’s hold on the wire and phone calls from the attorney claiming that the managing director had given authority for the wire.
In the coverage action brought by the policyholder against the insurance company, the district court granted partial summary judgment to the policyholder based on the court’s finding of ambiguity. On appeal, with one dissent, the 11th Circuit affirmed, but on the basis of the unambiguous policy coverage provisions.
In finding for the policyholder, the majority held that the purported managing director’s email, together with the instructions from the “attorney” was a fraudulent instruction that directed the bank to wire the funds. The insurance company’s argument was that even though the email may have been a fraudulent instruction, it did not direct the bank to wire the funds. The court rejected this argument saying that “we are hard pressed to construe the email as doing anything but ‘directing a financial institution to debit [the policyholder’s] transfer account and transfer … money… from that account.'” The court found that the subsequent email from the “attorney” filled in any gap in detail and that both emails had to be read together as a single transaction.
In rejecting the insurer’s argument that the loss did not result directly from the fraudulent instruction, the court found that the ordinary meaning of the phrase “resulting directly from” requires proximate causation between a covered event and a loss, not an immediate link. The court held that as a matter of law there was proximate cause and the intervening communications, including the bank’s hold, were not sufficient to sever the causal chain.
The dissent thought the proximate cause question (whether the bank hold broke the causal chain) should go to the jury.