Social Engineering Fraud and Cyber Insurance – Are You Covered?
Wednesday, March 21, 2018
phishing, fraud, engineering, "spoofing", 9th circuit, Washington
Print Mail Download i

Spoofing and phishing are part of what is known as social engineering fraud. Social engineering fraud is typically a type of computer fraud where an employee is misled into believing he or she is communicating with a vendor and is tricked into sending money due that vendor to the fraudster. Many organizations take proactive measures to protect themselves through enhanced IT measures, employee training and the purchase of computer fraud and other types of cyber insurance.

recent district court action in Washington illustrates how social engineering works and highlights the importance of understanding the limitations of the types of insurance coverages companies may have. The case is currently on appeal before the 9th U.S. Circuit Court of Appeals.

Aqua Star, a seafood importer, purchased frozen shrimp from Longwei and pays for that product using wire transfers. In 2013, Longwei’s computer system was hacked.  The hacker appears to have monitored email exchanges between Aqua Star and a Longwei employee.  The hacker began to intercept the email exchanges and sent fraudulent emails using “spoofed” email domains that appeared to Aqua Star to be actual emails.  For example, the hacker substituted the “1” for a lower case “l” so it looked legitimate.  In one of the emails, the hacker directed the Aqua Star employee to change the bank account information for Longwei for future wire transfers.  Aqua Star employees made the changes as directed and transferred $713,890 in payments to the new account.

Aqua Star submitted a claim for the misdirected wires under its Wrap and Crime Policy, which specifically covers computer fraud. Its claim was denied on the basis of an exclusion to the policy, which precluded coverage for loss resulting directly or indirectly from the input of electronic data by a natural person having the authority to enter the insured’s computer system. Because there was no unauthorized use of Aqua Star’s Computer System, coverage was deemed not to apply. The district court’s ruling is consistent with similar precedents.

As social engineering fraud becomes more prevalent and insurance products in the cyber space more diverse, it is important for companies to ensure that their insurance meets their specific needs. We will continue to follow this case.

© 2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.

Current Legal Analysis

More from Faegre Drinker

SCOTUS Denies Certiorari in Cases Concerning FCA Liability Requirement, Objective Falsity Circuit Split Remains Intact
by: Commercial Litigation Practice Group
Groundbreaking Fourth Circuit Decision Upholds Private Plaintiff’s Successful Effort to Unwind a Consummated Merger
by: Kathy L. Osborn , Emily E. Chow
Travel Bans and Quarantine Hotels: Traveling to the U.K. During COVID-19
by: Hodon Anastasi
TCPA Plaintiff Argues he wasn’t Injured in Attempt to Dodge Federal Jurisdiction
by: Marsha J. Indych , Renée M. Dudek
Silver Lining: COVID-19 Engagements Allow More Time for Premarital Financial Planning
by: Jaime A. Quick
Biden EPA Makes First Moves to Address PFAS in Drinking Water
by: Bonnie Allyn Barnett , Brandon W. Kirkham
Predicting the Enforcement Priorities of the Biden DOJ
by: Thomas J. Kelly , Daniel E. Pulliam
New York City Council Imposes Stricter Discipline Requirements on Fast Food Employers
by: Gerald T. Hathaway
Disclosure of Binding Arbitration Not Required In Consumer Warranties, Says Florida Supreme Court
by: Traci T. McKee , Lexi C. Fuson
FCC Order Causes Confusion Regarding Consent Required for Informational Calls to Residential Landlines
by: Matthew M. Morrissey

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins