September 26, 2020

Volume X, Number 270

September 25, 2020

Subscribe to Latest Legal News and Analysis

September 24, 2020

Subscribe to Latest Legal News and Analysis

Social Engineering Fraud and Cyber Insurance – Are You Covered?

Spoofing and phishing are part of what is known as social engineering fraud. Social engineering fraud is typically a type of computer fraud where an employee is misled into believing he or she is communicating with a vendor and is tricked into sending money due that vendor to the fraudster. Many organizations take proactive measures to protect themselves through enhanced IT measures, employee training and the purchase of computer fraud and other types of cyber insurance.

recent district court action in Washington illustrates how social engineering works and highlights the importance of understanding the limitations of the types of insurance coverages companies may have. The case is currently on appeal before the 9th U.S. Circuit Court of Appeals.

Aqua Star, a seafood importer, purchased frozen shrimp from Longwei and pays for that product using wire transfers. In 2013, Longwei’s computer system was hacked.  The hacker appears to have monitored email exchanges between Aqua Star and a Longwei employee.  The hacker began to intercept the email exchanges and sent fraudulent emails using “spoofed” email domains that appeared to Aqua Star to be actual emails.  For example, the hacker substituted the “1” for a lower case “l” so it looked legitimate.  In one of the emails, the hacker directed the Aqua Star employee to change the bank account information for Longwei for future wire transfers.  Aqua Star employees made the changes as directed and transferred $713,890 in payments to the new account.

Aqua Star submitted a claim for the misdirected wires under its Wrap and Crime Policy, which specifically covers computer fraud. Its claim was denied on the basis of an exclusion to the policy, which precluded coverage for loss resulting directly or indirectly from the input of electronic data by a natural person having the authority to enter the insured’s computer system. Because there was no unauthorized use of Aqua Star’s Computer System, coverage was deemed not to apply. The district court’s ruling is consistent with similar precedents.

As social engineering fraud becomes more prevalent and insurance products in the cyber space more diverse, it is important for companies to ensure that their insurance meets their specific needs. We will continue to follow this case.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume VIII, Number 80


About this Author

Katherine Armstrong, Drinker Biddle Law Firm, Washington DC, Data Privacy Attorney

Katherine E. Armstrong is counsel in the firm’s Government & Regulatory Affairs Practice Group where she focuses her practice on data privacy issues, including law enforcement investigations, and research and analysis of big data information practices including data broker issues.

Katherine has more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), where she served in a variety of roles, including most recently as a Senior Attorney in the Division of Privacy and Identity Protection.  In the Division of...