Spoofing and phishing are part of what is known as social engineering fraud. Social engineering fraud is typically a type of computer fraud where an employee is misled into believing he or she is communicating with a vendor and is tricked into sending money due that vendor to the fraudster. Many organizations take proactive measures to protect themselves through enhanced IT measures, employee training and the purchase of computer fraud and other types of cyber insurance.
A recent district court action in Washington illustrates how social engineering works and highlights the importance of understanding the limitations of the types of insurance coverages companies may have. The case is currently on appeal before the 9th U.S. Circuit Court of Appeals.
Aqua Star, a seafood importer, purchased frozen shrimp from Longwei and pays for that product using wire transfers. In 2013, Longwei’s computer system was hacked. The hacker appears to have monitored email exchanges between Aqua Star and a Longwei employee. The hacker began to intercept the email exchanges and sent fraudulent emails using “spoofed” email domains that appeared to Aqua Star to be actual emails. For example, the hacker substituted the “1” for a lower case “l” so it looked legitimate. In one of the emails, the hacker directed the Aqua Star employee to change the bank account information for Longwei for future wire transfers. Aqua Star employees made the changes as directed and transferred $713,890 in payments to the new account.
Aqua Star submitted a claim for the misdirected wires under its Wrap and Crime Policy, which specifically covers computer fraud. Its claim was denied on the basis of an exclusion to the policy, which precluded coverage for loss resulting directly or indirectly from the input of electronic data by a natural person having the authority to enter the insured’s computer system. Because there was no unauthorized use of Aqua Star’s Computer System, coverage was deemed not to apply. The district court’s ruling is consistent with similar precedents.
As social engineering fraud becomes more prevalent and insurance products in the cyber space more diverse, it is important for companies to ensure that their insurance meets their specific needs. We will continue to follow this case.