Computer Fraud Coverage For Spoofing Attacks

Computer Fraud Coverage For Spoofing Attacks? Recent Decisions Offer Guidance.

The typical crime insurance policy includes computer fraud coverage, which insures loss resulting “directly from” the use of a computer. As is readily apparent, computers are now used in nearly every aspect of modern business. As a result, the potential losses that can result from the use of a computer have grown exponentially. Courts have struggled, in turn, to define the scope of computer fraud coverage.

This difficulty is apparent in decisions addressing computer fraud coverage for losses arising out of email spoofing. As these cases show, whether or not computer fraud coverage applies to a loss often depends on the extent of computer use involved in the fraud. Below, we discuss email spoofing and recent appellate court cases addressing related losses. Finally, we discuss considerations for any business concerned with its exposure to email spoofing losses.

Some Relevant Terms

The computer fraud coverage of a crime policy typically provides language similar to the following:

The Insurer will pay the Insured for the Insured’s direct loss of … Money, Securities, and Other Property directly caused by Computer Fraud.

Computer Fraud is often defined: “the use of any computer to fraudulently cause a transfer of Money, Securities, or Other Property from inside the Premises or Financial Institution Premises to a person or place outside the insured’s premises.”

“Email spoofing” is the practice of a fraudster sending an e-mail that appears to come from a legitimate and recognized sender. The fraudster either secures unauthorized access to a legitimate account or registers and sends an e-mail from a domain that has a slight alteration from a legitimate domain (i.e., instead of amazon.com, the fraudster may send an email from amazon.net). A spoofed email can come in many forms. It may appear as an email from a fellow employee, an insured’s executive, a vendor, or a customer. It may request sensitive company information, ask the user to click on a malicious link, or request the user to send money to a fraudulent account. In short, spoofed emails are a serious risk to all businesses. Spoofing emails exploit the weakest link in a company’s internet and IT security—the humans who work there. In 2016, the FBI warned that e-mail spoofing had cost corporations more than $2.3 billion in losses since 2013, a number that has surely grown.

Recent Decisions

When an email induces an insured to act in a manner that results in a loss, such as pay an outstanding invoice to a fraudulent account, is that a direct loss resulting from the use of a computer? Case law indicates that, as in most things, it depends.

In one of the earlier decisions addressing this issue, Apache Corporation v. Great American Insurance Company,[1] the Fifth Circuit held that a fraudulent scheme involving a computer did not trigger coverage. The fraud started with a telephone call to an Apache employee. The caller claimed to be a representative of an Apache vendor and instructed Apache to change the wiring instructions for payments to the vendor.[2] The Apache employee told the caller that the account could not change without a letter on the vendor’s letterhead.[3] A week later, Apache’s accounts-payable department received an email that appeared to be from the vendor.[4] However, the email was actually sent from a domain name that was slightly different than the real vendor’s domain.[5] The e-mail attached a letter making the account change, and Apache began making payments to the fraudster’s account. After a month of payments totaling nearly $7 million, the fraud was uncovered when the vendor complained about not receiving payment.[6]

The Fifth Circuit held that Apache’s loss did not fall within the computer fraud coverage. The insuring provision provided coverage for “loss … resulting directly from the use of any computer to fraudulently cause a transfer.”[7] The court held that the fraudulent transfer of funds “was the result of other events” and it was “not directly [caused] by the computer use.”[8] According to the court, the email was merely “part of the scheme.”[9] The court was concerned that computer fraud coverage is not intended to provide general fraud coverage and “few—if any—fraudulent schemes would not involve some form of computer-facilitated communication.”[10]

Two more recent decisions from the Fifth Circuit’s sister courts came to a different conclusion. Issued within a week of one another, these decisions found that spoofing-related losses triggered computer fraud coverage. In Medidata Solutions, Inc. v. Federal Insurance Co., the Second Circuit Court of Appeals found that coverage existed for money transferred as a result of a spoofing operation.[11] In Medidata, an employee received an email from what appeared to be Medidata’s president.[12] The email used a malicious code to show the president’s name, email address, and his picture in the “From” box, which was consistent with how internal emails appeared.[13] The email instructed the employee to expect a call from an attorney who was helping the company with an acquisition.[14] The “attorney” called the employee and demanded that she process a wire transfer for the acquisition; the employee replied that she could not do so without approval from the insured’s president, vice president, and another specific executive.[15] The fraudster then emailed the vice president and other executives to instruct them to approve the transfer. After they did so, the employee transferred the money.[16] The employee and VP later learned that the president had not requested the transfer, and the insured subsequently sought coverage under its computer crime coverage.

The Second Circuit held that the computer crime coverage insured the loss. The insuring provision provided coverage for “direct loss … resulting from Computer Fraud committed by a Third Party,” and it defined “Computer Fraud” as “the unlawful taking or the fraudulently induced transfer of Money … resulting from a Computer Violation.”[17] “Computer Violation” meant “the fraudulent: (a) entry of Data into … a Computer System and (b) change to Data elements, or program logic….”[18]

The Court held that the spoofing emails were “Computer Fraud” that resulted from a “Computer Violation.”[19] While there were non-computer events involved in the fraud, the attackers altered the insured’s computer system (so that bogus emails would appear legitimate) and those emails caused a direct loss to the insured.[20]

Approximately one week after Medidata, the Sixth Circuit arrived at a similar decision in American Tooling Center, Inc. v. Travelers Casualty & Surety Co.[21] An unknown third party intercepted an email from American Tooling Center (“ATC”) to its vendors requesting all outstanding invoices.[22] The third party then imitated a vendor and began corresponding with ATC about the invoices. Eventually, the impostor advised ATC that it needed the money wired to a different account.[23] The real vendor had made a similar request in the past, so it did not raise suspicions at ATC. After receiving the new account information, ATC began wiring payments to the impostor’s account.[24] ATC did not discover the fraud until the real vendor demanded payment for its outstanding invoices.[25]

The Sixth Circuit held that the loss was covered by the computer fraud coverage. The policy defined “computer fraud” as “the use of any computer to fraudulently cause of transfer of Money … [to a third party].”[26] The court held that the loss was caused by the computer fraud because “the impersonator sent ATC fraudulent emails using a computer and these emails fraudulently caused ATC to transfer the money to the impersonator.”[27] The court specifically rejected the insurer’s contention that the definition of “computer fraud” required a computer to “fraudulently cause the transfer.”[28] The computer fraud coverage was not limited to “hacking and similar behaviors in which a nefarious party somehow gains access to and/or controls the insured’s computer.”[29]

Going Forward

The relative lack of sophistication of spoofing attacks, coupled with the potential for large losses and legal uncertainty as to coverage, create considerable exposure and a likelihood that challenges to coverage for such events will continue. Cases will continue to go both ways, as insurers and insureds fight over coverage for these mounting losses. Where there are many acts in addition to the spoofing emails, it is possible a court will hold that the computer fraud coverage does not apply, such as in Apache. Where the majority of the actions involve spoofed emails, it is possible a court will hold that the computer fraud coverage applies, like in Medidata and American Tooling.

Regardless, the uncertainty of coverage and the certainty of the risk demands that insurers discuss spoofing-related losses with their brokers. Many insurers now offer endorsements designed to provide coverage for spoofing-related losses. Whether that endorsement belongs on a cyber policy or a crime policy is also an issue that the insured’s broker can address. There are no companies immune to spoofing-related losses, and every company should assess this risk and act accordingly.

It will always remain true that it is better to prevent spoofing-related losses than to look for coverage for such losses. Spoofing attacks prey on under-trained employees and relaxed security policies. Accordingly, as part of cyber risk preparedness, insureds would be well served by cyber security training and counseling, such as how to spot a spoofing email.

[1] Apache Corp. v. Great American Insurance Co., 662 Fed. Appx. 252 (5th Cir. 2016).
[2] Id. at 253.
[3] Id.
[4] Id.
[5] Id.
[6] Id.
[7] Id. at 254.
[8] Id. at 258.
[9] Id.
[10] Id.
[11] 729 Fed. Appx. 117 (2d Cir. 2018).
[12] Medidata Solutions, LLC v. Federal Ins. Co., 268 F. Supp. 3d 471, 473 (S.D.N.Y. 2017).
[13] Id. at 472.
[14] Id.
[15] Id. at 473.
[16] Id.
[17] Id. at 474.
[18] Id.
[19] 729 Fed. Appx. At 118.
[20] Id. at 118-19.
[21] 895 F.3d 455 (6th Cir. 2018).
[22] Id. at 458.
[23] Id.
[24] Id.
[25] Id.
[26] Id. at 461.
[27] Id. at 461 – 62.
[28] See id. at 461 – 62.
[29] Id. at 462.