The Fidelity Law Journal · The Fidelity Law Journal published by . The Fidelity Law Association . Volume XXII, November 2016 . Editor-in-Chief Michael Keeley . Associate Editors

The Fidelity

Law Journal

published by

The Fidelity Law Association

Volume XXII, November 2016

Editor-in-Chief Michael Keeley

Associate Editors Carla C. Crapster Robert J. Duke

Adam P. Friedman Ann I. Gardiner Jeffrey S. Price John R. Riddle Daniel J. Ryan Joel Wiegert

Cite as XXII FID. L.J. ___ (2016)

THE FIDELITY LAW ASSOCIATION

Executive Committee

President Robert Olausen, ISO Solutions

Immediate Past President Michael Retelle, CUMIS

Vice President Dolores Parr, Zurich

Secretary Michael V. Branley, The Hartford

Treasurer Timothy Markey, CNA

Members Ann Gardiner, ABA Insurance Services, Inc.

Mark Struthers, CUMIS

Advisors Emeritus Samuel J. Arena, Jr., Stradley, Ronon, Stevens & Young, LLP

Armen Shahinian, Chiesa Shahinian & Giantomasi PC Robert Briganti, Belle Mead Claims Service, Inc.

Michael Keeley, Strasburger & Price, LLP Harvey C. Koch, Montgomery Barnett, LLP

Advisors CharCretia V. Di Bartolo, Hinshaw & Culbertson LLP

Gary J. Valeriano, Anderson McPharlin & Connors LLP

The Fidelity Law Journal is published annually. Additional copies may be purchased by writing to: The Fidelity Law Association, c/o Chiesa Shahinian & Giantomasi PC, One Boland Drive, West Orange, New Jersey 07052. The opinions and views expressed in the articles in this Journal are solely of the authors and do not necessarily reflect the views of the Fidelity Law Association or its members, nor of the authors’ firms or companies. Publication should not be deemed an endorsement by the Fidelity Law Association or its members, or the authors’ firms or companies, of any views or positions contained herein. The articles herein are for general informational purposes only. None of the information in the articles constitutes legal advice, nor is it intended to create any attorney-client relationship between the reader and any of the authors. The reader should not act or rely upon the information in this Journal concerning the meaning, interpretation, or effect of any particular contractual language or the resolution of any particular demand, claim, or suit without seeking the advice of your own attorney.

The information in this Journal does not amend, or otherwise affect, the terms, conditions or coverages of any insurance policy or bond issued by any of the authors’ companies or any other insurance company. The information in this Journal is not a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends upon the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law.

Copyright © 2016 Fidelity Law Association. All rights reserved. Printed in the USA. For additional information concerning the Fidelity Law Association or the Journal, please visit our website at http://www.fidelitylaw.org.

Information which is copyrighted by and proprietary to Insurance Services Office, Inc. (“ISO Material”) is included in this publication. Use of the ISO Material is limited to ISO Participating Insurers and their Authorized Representatives. Use by ISO Participating Insurers is limited to use in those jurisdictions for which the insurer has an appropriate participation with ISO. Use of the ISO Material by Authorized Representatives is limited to use solely on behalf of one or more ISO Participating Insurers.

Scott L. Schmookler and Christopher M. Kahler are partners with Gordon Rees Scully Mansukhani, LLP in Chicago, Illinois. 1

SOCIAL ENGINEERING: IS THE MANIPULATION OF HUMANS A COMPUTER FRAUD?1

Scott L. Schmookler Christopher M. Kahler

“Every single scam in human history has worked for one key reason; the victim did not recognize it as a scam.”2

I. INTRODUCTION

Crime, whether perpetrated through traditional check fraud, corruption, cybercrime, or accounting fraud, is a concern for organizations of all sizes, across all regions, and in every sector.3 With the increasing reliance on technology in all aspects of business, criminals have moved away from theft of physical assets. While robbery of vaults posed the greatest risk to banks in the 1930s, computer-related crimes now pose one of the greatest and most pervasive threats to businesses.

The growing use of technology-enabled processes exposes a wide variety of businesses to cybercrime. The threats span from theft of data directly (leading to theft of financial assets) to the theft of personal data (that can be used to assemble an attack on financial assets). These thefts can threaten processes from point of sale purchases by debit/credit

1 Christopher Hadnagy, Social Engineering: The Art of Human Hacking (Wiley Publ’g, Inc., 1st ed. 2011).

2 Chris Hammond-Thrasher, Hacker Tool Talk: Kismet, Security Through Knowledge, CIPS Edmonton Dinner Meeting (Oct. 2011), quoting R. Paul Wilson, http://ab.cips.ca/NewsEvents/Lists/Events/Attachments/190/ Hacker%20tool%20talk%20-%20kismet%20cips%20edm.pdf.

3 2015 U.S. State of Cybercrime Survey, PwC (May 2015), http://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/2015-us-cybercrime-survey.pdf.

2 Fidelity Law Journal, Vol. XXII, November 2016

cards in the retail environment, to ATM transactions in the banking environment, to e-commerce or on-line sales, and to electronic business communications.4

Recent studies illustrate the increasing threat of electronic crime. In 2015, more than three out of four (79%) respondents to the U.S. State of Cybercrime Survey detected a security event in the past twelve months—an increase of 28% from the prior year.5 In 2014, that percentage reflected approximately 1 billion data records being compromised.6 On average, survey respondents reported more than 135 security incidents per organization,7 with an average monetary loss of $415,000.8 While a recent study of data breach losses between 2011 and 2013 estimated that the median average loss was approximately $144,000 and the median cost for crisis services, such as customer relations, was $110,594.9

Recent news demonstrates that cyber criminals remain an active and pervasive threat, imposing greater losses to both public and private entities. Major retailers, for example, continue to experience loss of client information.10 Cyber criminals have stolen private health information.11 Even the United States is a target, losing private

4 Computer Security Institute, 2010/2011 Computer Crime and Security

Survey (May 31, 2011), http://reports.informationweek.com/abstract/ 21/7377/Security/research-2010-2011-csi-survey.html.

5 2015 U.S. State of Cybercrime Survey, supra note 3. 6 Id. 7 Computer Security Institute, supra note 4. 8 Id. 9 Net Diligence, 2015 Cyber Claims Study, http://www.

netdiligence.com/ NetDiligence_2014CyberClaimsStudy.pdf (last visited June 28, 2016).

10 Paula Rosenblum, The Target Data Breach is Becoming a Nightmare, FORBES (Jan. 17, 2014, http://www.forbes.com/sites/paula rosenblum/2014/01/17/the-target-data-breach-is-becoming-a-nightmare/#1 cedf30e4b29.

11 Charles Riley, Insurance Giant Anthem Hit By Massive Data Breach, CNN MONEY, (Feb. 6, 2015), http://money.cnn.com/2015/02/04/ technology/ anthem-insurance-hack-data-security/.

Social Engineering 3

information on 4.2 million employees and contractors.12 These breaches are noteworthy for their size and scope, but also because they reflect the fact that every segment of business or government is at risk.13

These losses span every form of business because every business segment has increased their reliance on technology, shifting the traditional data storage in a file cabinet to an electronic environment. Because cyber criminals employ several measures to breach computer systems and seize sensitive business information, businesses have implemented technical security measures to make technological attacks more difficult and costly. For instance, businesses employ software that analyzes emails to filter out potential malware or viruses. Businesses design segregated network systems to sequester malicious code that has infiltrated an entire computer system. Businesses institute security protocol, such as requiring employees to change passwords at regular intervals, to avoid the staleness of routine passwords.14

Such security measures, however, are subject to a single weakness—humans. Non-malicious employee error is the number one

12 Cybersecurity Resource Center, What Happened, Office of Personnel

Management https://www.opm.gov/cybersecurity/cybersecurity-incidents/ (last visited June 7, 2016). Furthermore, an international law firm was the victim of a data breach which exposed tax havens for wealthy clients. Richard Bilton, Panama Papers: Mossack Fonseca Leak Reveals Elite’s Tax Havens, BBC NEWS (Apr. 4, 2016), http://www.bbc.com/news/world-35918844 (last visited June 30, 2016).

13 Your Encrypted EMR May be Hemorrhaging Data, MEDLAW.COM (Sept. 11, 2015), http://www.medlaw.com/category/hipaa/; Numaan Huq, Follow the Data: Analyzing Breaches by Industry, http://www. trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-analyzing-breaches-by-industry.pdf (last visited June 28, 2016); Ponemon Institute LLC, 2016 Cost of Data Breach Study: United States (June 2016), https://securityintelligence.com/media/2016-cost-data-breach-study/(last visited June 25, 2016) (noting the percentages as: business, 18.1%; healthcare, 26.9 %; financial, 22.3%; education, 16.8%; and, government, 15.9%).

14 Michael Cobb, 2015 Strategic Security Survey, InformationWeek (September 2015), page 18-19, http://reports.informationweek.com/abstract/21/ 12549/Security/2015-Strategic-Security-Survey.html.


leading cause of data security breaches.15 Because of this inherent weakness in the increasing technological defenses, cyber criminals have shifted their focus away from pure technological attacks and have increasingly attacked employees through the use of “social engineering” ―a collection of techniques used to manipulate people into performing actions or divulging confidential information.

Security is all about knowing who and what to trust. It does not matter how many locks you install, if you blindly trust the person knocking on the front gate and let him in without verifying his legitimacy, you are exposing yourself to whatever risk he represents. In the cyber context, securing hardware and software is relatively easy and can be achieved through technology. However, the weakest point in the organization’s security defenses is the human operator because he has the ability to ignore or circumvent protocol and technology when he accepts a person or scenario at face value. Thus, cyber criminals are increasingly attacking the human, rather than the machine.

Such schemes are commonly referred to as social engineering: “Social engineering is using manipulation, influence and deception to get a person, a trusted insider within an organization, to comply with a request, and the request is usually to release information or to perform some sort of action item that benefits that attacker.”16 These schemes succeed because humans have a tendency to trust other people. Social engineers exploit human emotions (such as fear, curiosity, the natural desire to help, the tendency to trust, and laziness) to bypass the most iron-clad security measures and gain access to systems. The success of such schemes does not rely upon sophisticated technology but it depends solely upon employee error.

Social engineering is not a new concept. A social engineer is nothing more than a con man who uses technology to swindle people and manipulate them into disclosing passwords or bank information or

15 Experian, 2016 Data Breach Industry Forecast; Ponemon Institute,

2016 Cost of Data Breach Study: United States (June 2016) (39% for phishing in comparison to 19% for malware).

16 A Convicted Hacker Debunks Some Myths, CNN.COM (Oct. 13, 2005), http://edition.cnn.com/2005/TECH/internet/10/07/kevin.mitnick.cnna/ index.html.


granting access to their computer. The employee’s error then allows the social engineer to improperly receive funds, gain access to passwords, insert malicious software to gain control over the computer system, or install ransomware to threaten the organization. Because of the reliance on human emotion, these schemes are pervasive and successful.17 Indeed, the reported number of social engineering type-schemes targeting employees increased by 55% in 201518 and is the leading threat to organizations.19

Faced with a loss due to social engineering, companies will commonly look to recover under their crime policies (reasoning that their loss must be covered because it is due to a crime), under a cyber policy (because the scheme involved a cyber criminal) and/or under a professional liability policy (if the loss involves customer funds). With that background in mind, this chapter first explores social engineering, discusses coverage for first-party loss under a commercial crime policy and then explores coverage for claims involving the loss of customer funds.

17 This battle through technology is not unique to computer systems,

but is common throughout human history. Kevin Segreti & Jeff Cherrington, Castle Walls Under Digital Siege: Risk-based Security and z/OS (2015), available at http://www.slideshare.net/CAinc/castle-walls-under-digital-siege-riskbased-security-for-zos. The siege of castles provides a tangible demonstration. Castles originally relied upon simple walls and gates for protection; however, as attackers developed the technology to climb the walls, then the walls became higher. When the attackers were able to penetrate smaller gates or doors, then castles designed one single, fortified gate. When the attackers developed technology to batter down the walls, then the walls became thicker. As discussed in this article, though, all of the castle defense technology was useless if a castle guard was manipulated to hold the door open for the attackers.

18 Symantec, Attackers Target Both Large and Small Businesses, (not dated), https://www.symantec.com/content/dam/symantec/docs/infographics/ istr-attackers-strike-large-business-en.pdf.

19 Experian, supra note 15; Cobb, supra note 14.


II. WHAT IS SOCIAL ENGINEERING?

The term “social engineering” derives from J.C. Van Marken, a Dutch industrialist. In 1894, he espoused the theory that employers needed assistance from specialists (or sociale ingenieurs) to confront human societal problems (similar to the technical expertise provided by engineers in confronting problems in structural design).20 In 1899, Dr. William Tolman described “the business of the social engineer” as “the institution and supervision of all sorts of movements that will improve the condition of the wage earner . . . .”21 Several years later, the term was utilized to embody the principle that government or other institutions could manipulate citizens to act in a desired manner or adhere to a particular political belief.22

Social engineering encompasses all forms of crime, such as the classic con game and Ponzi scheme. At its core, social engineering is theft with the absence of strong-armed tactics such as violence or the threat of violence. For instance, in 1849, the New-York Herald reported on a “confidence man” that was stealing money and property by manipulating residents of the city.23 The newspaper described the confidence man’s actions as such:

20 World Heritage Encyclopedia, Social Engineering (Political

Science), available at http://www.gutenberg.us/articles/social_engineering_ (political _science).

21 Dr. W.H. Tolman, N.Y. TIMES (July 17, 1898), at MS 7, accord, Ilya Gerasimov, Redefining Empire: Social Engineering in Late Imperial Russia 229-272 (2009), available at http://www.academia.edu/3989581/_Redefining_ Empire_Social_Engineering_in_Late_Imperial_Russia_in_Projects_and_in_ Practice.

22 PETER SWIRSKI, AMERICAN UTOPIA AND SOCIAL ENGINEERING IN LITERATURE, SOCIAL THOUGHT, AND POLITICAL HISTORY (Routledge 2011); https://en.wikipedia.org/wiki/Social_engineering_(political_science). Over the last hundred years, governments employed social engineering to achieve a variety of results, with a prime example being the Soviet’s use of propaganda to alter the social structure from Tsarist Russia to communism. Gerasimov, supra note 21 at 229-72.

23 Arrest of the Confidence Man, N.Y. HERALD (July 8, 1849), http:// lostmuseum.cuny.edu/archive/arrest-of-the-confidence-man-newyork-herald.


[H]e would go up to a perfect stranger in the street, and being a man of genteel appearance, would easily command an interview. Upon this interview he would say after some little conversation, ‘have you confidence in me to trust me with your watch until tomorrow;” the stranger at his novel request, supposing him to be some old acquaintance not at that moment recollected, allows him to take the watch, thus placing ‘confidence’ in the honesty of the stranger, who walks off laughing and the other supposing it to be a joke allows him so to do.24

Such implementation of manipulation and persuasion is timeless. Social engineering has adapted to the modern computing era and the term describes criminals that manipulate people to unwittingly provide money or information, rather than taking it by attacking the computer systems.

Social engineering is defined as “the act of influencing a person to accomplish goals that may not be in the person’s best interest.”25 Social engineering involves the thief’s manipulation of a victim’s understanding of a transaction or scenario, so that they unwittingly and voluntarily provide the thief with funds or information. The FBI defines the modern social engineer as “social or human hackers who specialize in exploiting personal connections through social networks . . . the social engineer manipulate people through social interactions (in person, over the phone, or in writing).”26 Rather than use direct attacks on a business’s computer system, social engineers will use websites or emails to trick an employee into providing information to the criminal, or transferring funds to the criminal’s bank account. This allows the criminal to avoid

24 Entertaining and instructive examples of non-cyber social

engineering schemes can be found in the movie “Catch Me If You Can,” which details con artist Frank Abagnale’s manipulation of victims by pretending to be authority figures, and “The Usual Suspects,” which details a fictitious social engineering scheme.

25 Lillian Ablon, The Outsider Threat, THE CIPHER BRIEF (Oct. 19, 2015), https://www.thecipherbrief.com/article/social-engineering.

26 Federal Bureau of Investigation, Internet Social Networking Risk, https://www.fbi.gov/about-us/investigate/counterintelligence/internet-social-networking-risks-1.


the “brute force” necessary to circumvent the technological protections a corporation may employ; such as firewalls and password security.

There is not one defined social engineering technique utilized by cyber criminals; instead, they use a variety of tools to engineer a situation in which an employee will unwittingly violate security protocol and infrastructure. At the core of the schemes detailed below is the manipulation of the natural human tendency to trust and accept representations at face value.27 In other words, if someone presents herself as a certain person, then people tend to believe the statement. The social engineer’s “arsenal” is not “magic,” rather:

The social engineer employs the same persuasive techniques the rest of us use every day. We take on roles. We try to build credibility. We call in reciprocal obligations. But unlike most of us, the social engineer applies these techniques in a manipulative, deceptive, highly unethical manner, often to devastating effect.28

In other words, the social engineer relies upon the combination of natural human tendencies in combination with corporate structure. In the context of an organization, several factors contribute to why social engineering schemes are the leading threat to businesses:29

• Trappings of role—the social engineer creates the appearance of legitimacy, by using technical or industry jargon;

• Credibility—an aura of authenticity is created by drawing the employee into purported organizational confidences;

• Systematic thinking—this attribute is essential because a fraudulent instruction or request that is

27 Ablon, supra note 25. 28 KEVIN MITNICK & WILLIAM SIMON, THE ART OF INTRUSION: THE

REAL STORIES BEHIND THE EXPLOITS OF HACKERS, INTRUDERS & DECEIVERS, pages 232-238 (Wiley Publ’g, Inc., 1st ed. 2005).

29 Id.


within the employee’s organizational role will result in compliance;

• Fear of reprisal—it is easier for an employee to comply with an alleged vendor’s request or superior’s directive than to risk the consequences of questioning the purpose or legitimacy of the information;

• Desire to help—by responding to a social engineer’s inquiry or completing the task, the employee feels empowered and productive.

There are several prominent schemes that cyber criminals may use to manipulate a human target to provide access to information or funds, but they all rely upon people’s tendency to conform to systematic thinking and their roles within organizations.30 A few common examples illustrate how social engineers prey on these traits.

A. Phishing Schemes

A common scheme is “phishing” which is described as “the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.”31 Through phishing, the cyber criminal will send mass emails or text messages that will contain what appears to be the imprimatur of a legitimate entity or individual, such as the corporate logo.32 These messages explain that there is a problem that requiring you to “verify” information by clicking on the displayed link and providing information

30 Id. 31 Security Through Education, http://www.social-engineer.org/

framework/general-discussion/real-world-examples/phishing/(last visited June 27, 2016).

32 There are several subsets of phishing such as “spear phishing” in which a spoofed email is targeted at a specific individual and contains information customized to that individual, while “whale phishing” is customized emails targeted at C-suite officers. Ablon, supra note 25.


in their form. The phishing email will then request that the recipient click on a link which installs malicious code.

The phishing email could also request that the recipient click on a link which brings the recipient to a spoofed website. Because the cyber criminal has painted the website or email with the aura of authenticity, the link location will naturally appear legitimate. The recipient is then tricked into entering his credentials, which allows the cyber criminal to obtain information to access the recipient or his organization’s systems and confidential information.

These schemes depend upon gullibility.33 Because this trait is unobservable, social engineers use phishing emails to get those who possess this quality to self-identify. Once they do so, the social engineers can corrupt secure systems and implant malicious programs or executables (thereby enabling the cyber criminal to perform various tasks or spy on the user’s computer activity). Phishing schemes are very effective and accounted for 31% of the cyber thefts in 2014.34 Furthermore, a recent study found that there is a 90% percent chance that at least one person will get hooked by the scheme.35 This success rate explains why social engineers will use a low cost scheme, such as social engineering instead of directly attacking a computer system.

B. Emails from Friends

Social engineers cleverly manipulate the natural human tendency to trust and accept representations at face value. Seizing upon this trait, social engineers commonly spoof or access email accounts to gain access to the owner’s contact list. Once the cyber criminal has access to an email account, he/she can send emails to all the owner’s contacts or leave messages on all their friends’ social pages (and possibly on the pages of the person’s friends’ friends). Because the source appears to come from a

33 Variations of the term “phishing” have been adopted to identify

similar schemes that do not utilize computers. For instance, “vishing” is social engineering over the phone, while “smishing” uses text messages to lure victims. Phishing, pharming, vishing and smishing, INTUIT, INC., https://security.intuit.com/phishing.html (last visited June 28, 2016).

34 U.S. Cybersecurity: Progress Stalled, PwC (July 2015). 35 Cobb, supra note 14.


family member, friend or acquaintance, the recipient will naturally trust the content of the email. For example, cyber criminals send emails to recipients claiming the real sender is in trouble and desperately needs money:

These messages prey on trust, helpfulness and curiosity. For

example, the social engineer may send a link that you “just have to check out.” Because the link comes from a friend and humans are curious, the recipient clicks on the link and the system becomes infected with malware the criminal can use to take over the machine and collect information. Once downloaded (which the recipient is likely to do since he/she thinks it is from a friend), the system is infected. Now, the criminal has access to the system.

C. Baiting Scenarios

Social engineers use greed or curiosity to manipulate human operators.36 Often found on Peer-to-Peer sites offering a download of a hot new movie or music, social engineers dangle something people want and wait for people to take the bait. This baiting scenario may also take the form of the classic “advanced-fee” scam, in which an unknown

36 Skillset, https://www.skillset.com/questions/baiting-is-a-technique-

of-social-engineering-in-which-attacker-uses-an-infected-disk-cd-dvd-or-any-o (last visited June 28, 2016).


sender promises easy money, if the recipient will forward funds to cover an alleged expense:37

Social engineers will also disguise a malicious link as a trending pop culture or social topic to lure the victim into clicking on the link.38 Once people take the bait, the cyber criminal uses malicious software to corrupt secure systems and steal confidential information or banking systems.

37 Christian Cawley, Opinion, Do Nigerian Scam Emails Hide A

Terrible Secret? (Apr. 19, 2012), http://www.makeuseof.com/tag/nigerian-spam-emails-hide-terrible-secret-opinion/.

38 Fake links to nude celebrities breaks New Zealand Internet, THE TELEGRAPH (Sept. 7, 2014), http://www.telegraph.co.uk/news/worldnews/ australiaandthepacific/newzealand/11079869/Fake-links-to-nude-celebrities-breaks-New-Zealand-Internet.html.


D. Vendor Scams

Corporations that conduct international business are often confronted with a “business e-mail compromise scam.” Such schemes involve spoofed email addresses39 purportedly from known and trustworthy vendors.40 This scheme involves a cyber criminal spoofing a vendor’s email address to manipulate the business’s employee—often in the accounts payable department—to transfer funds for a legitimate transaction to the criminal’s bank account, rather than the vendor’s.

The scheme is also known as a “man in the middle” scheme because the criminal inserts himself into an email exchange between the business and vendor, by using spoofed email addresses, to manipulate the parties into transferring funds to incorrect bank accounts.41 The schematic of a man-in-the-middle scheme demonstrates the simplicity for the social engineer:42

39 A spoofed email address uses a similar, but different email address which is disguised to look like a known and legitimate email address. For example, a legitimate email address of [email protected] may be spoofed using [email protected] or [email protected].

40 Press Release, Federal Bureau of Investigation, FBI Warns of Rise in Schemes Targeting Business and Online Fraud of Financial Officer and Individuals (Mar. 29, 2016), https://www.fbi.gov/cleveland/press-releases/2016/ fbi-warns-of-rise-in-schemes-targeting-businesses-and-online-fraud-of-financial- officers-and-individuals.

41 Id. 42 DuPaul, Neil, Man In The Middle (MITM) Attack, (last visited

June 28, 2016) http://www.veracode.com/security/man-middle-attack.


The FBI provides the following example of this scheme:

A business, which often has a long standing relationship with a supplier, is asked to wire funds for invoice payment to an alternate, fraudulent account. The request may be made via telephone, fax, or email. If an email is received, the subject will spoof the email request so it appears very similar to a legitimate account and would take very close scrutiny to determine it was fraudulent. Likewise, if a facsimile or telephone call is received, it will closely mimic a legitimate request. This particular version has also been referred to as “the bogus invoice scheme,” “the supplier swindle,” and “invoice modification scheme.”

. . . .

An employee of a business has his/her personal email hacked. Requests for invoice payments to fraudster controlled bank accounts are sent from this employee’s personal email to multiple vendors identified from this employee’s contact list. The business may not become aware of the fraudulent requests until they are contacted by their vendors to follow up on the status of their invoice payment.

This form of social engineering hits corporations of all sizes, with particular emphasis on those that regularly perform wire transfer payments.43 It is particularly effective because the business and vendor do not know that they were corresponding with a cyber criminal through spoofed email addresses until long after the funds are gone and are unrecoverable.

43 Id.


E. Impersonating Superiors or Corporate Officers

Impersonation is one of the most common social engineering techniques and it can occur over the phone or online.44 The FBI succinctly describes this scheme:

The email accounts of high level business executives (CFO, CTO, etc.) are compromised. The account may be spoofed or hacked. A request for a wire transfer from the compromised account is made to a second employee within the company who is normally responsible for processing these requests. In some instances a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank “X” for reason “Y.” This particular version has also been referred to as “CEO fraud,” “business executive scam,” “masquerading,” and “financial industry wire frauds.”45

These schemes prey upon the desire to be helpful and fear of being reprimanded. Many employees receive a negative reaction from superiors if they do not act promptly and/or take too long to complete a project. Fearing reprimand, many employees want to be helpful and follow directions—which can lead to giving away too much information.

The FBI example is similar to a textbook 2015 social engineering scheme based on the spoofing of the CEO’s email address.46

44 Marie Keyworth & Matthew Wall, The ‘bogus boss’ email scam

costing firms millions, BBC (Jan. 8, 2016), http://www.bbc.com/news/business-35250678 (noting that “in the US, the FBI’s internet crime centre … has been tracking ‘business email compromise’ scams, as it calls them, and reckons about 7,000 companies have been defrauded of more than $740 million over the last two years.”).

45 Press Release, Federal Bureau of Investigation, FBI Warns of Dramatic Increase in Business E-Mail Scams (Apr. 4, 2016), https:// www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scams.

46 Russell Hubbard, Impostors Bilk Omaha’s Scoular Co. Out of $17.2 Million, OMAHA.COM (Feb. 5, 2015), http://www.omaha.com/money/impostors-


In that case, the company’s controller received emails purportedly from the company’s CEO informing him that as part of an acquisition of a Chinese company, he needed to wire funds to a bank in China. The spoofed CEO email further instructed the controller that it was a sensitive matter due to SEC regulations and, therefore, it must remain confidential and he could only “communicate with me through this email.”47 To provide the controller an assurance of legitimacy, the spoofed CEO directed the controller to call the company’s outside accounting firm to confirm the wire transfer information. The controller subsequently called an unknown phone number, which was answered by an individual representing himself as an employee of the accounting firm.48 After which, the controller received a spoofed email from the accounting firm, which contained the fraudulent wire instructions.49 Over the course of five days, the controller complied with the spoofed CEO’s email directions and completed three wire transfers totaling $17.2 million.

This transaction contains all the hallmarks of a social engineering scheme. First, the controller received emails from an account disguised to appear as coming from the CEO’s email account. Second, the wire transfer appeared to be for a legitimate purpose because the controller understood that the company was looking to expand into China. Third, the social engineer relied upon the power imbalance between the two corporate officers by directing the controller to act in accordance with his role at the company. Fourth, the controller was empowered with an understanding that he was selected to participate in a confidential, but important, task for the company. This social engineering scheme was particularly effective because it appealed to several of the unwitting participant’s emotions: credibility; fear of repercussions for failing to act; adherence to the corporate structure; and, sense of importance by fulfilling an important task.50

bilk-omaha-s-scoular-co-out-of-million/article_25af3da5-d475-5f9d-92db-52493258d23d.html.

47 Id. 48 Id. 49 Id. 50 MITNICK & SIMON, supra note 28. (“A social engineer masquerading

as a company executive may target a secretary or junior staffer with an ‘urgent’


III. SOCIAL ENGINEERING IS NOT COMPUTER HACKING

Social engineering schemes often involve the transmission of emails containing false information, designed to mislead the recipient and convince the recipient to knowingly and voluntarily transfer funds to the engineer. Because the scheme involves the transmission and receipt of emails, insured businesses often portray such schemes as a form of hacking, e.g., containing viruses or malware. Such allegations, however, ignore the basic email principles.

Emails are transmitted via the Simple Mail Transfer Protocol,51 which is a protocol that allows a user to transfer electronic mail from his/her mail account to the recipient’s mail account.52 Electronic mail transferred by SMTP consists of an SMTP envelope and a message formatted using the Internet Message Format53 standard (“an IMF message”).54

In this vein, an email can be conceptualized as a letter transmitted in a physical envelope.55 Like physical letters, an SMTP email has two different sets of address fields: fields within the envelope header and fields in the IMF message. The SMTP transmits email based upon an “envelope header.” The envelope header, like the addresses on the outside of a physical envelope, contains routing information (about the sender and the recipient) used by mail transport software to route and deliver the email. The IMF message also contains headers. The headers within the IMF message are not used by email software to transport the email, but are content within the email that are displayed when the recipient reads the email (just like the address attached to a salutation at

demand, and with the implication that the underlying will get into trouble, or might even get fired, for not complying.”).

51 Hereinafter SMTP. 52 John Klensin, Simple Mail Transfer Protocol (Oct. 2008)

https://tools.ietf.org/html/rfc5321 (last visited June 28, 2016); Peter Resnik, Internet Message Format (Oct. 2008), https://tools.ietf.org/html/rfc5322 (last visited June 28, 2016).

53 Hereinafter IMF. 54 Id. 55 Id.


the start of a physical letter is read by the recipient, but not used by the post office to deliver the letter).

The SMTP envelope contains a header (“SMTP Envelope Header”) which determines where the message is sent, where the return messages are routed, and records the specific path the message follows.56 The SMTP Envelope Header contains a “DELIVERED TO” command, which reflects the recipient’s email address and routes the email to a specific address. The SMTP Envelope Header also contains a “RETURN-PATH” command (also referred to herein as “MAIL FROM”), and a RECEIVED command, which indicates from what server the message was transmitted.

The message in an email is created through IMF specification.57 An IMF message can be conceptualized as the message delivered by the SMTP envelope. An IMF message consists of a message header and a message body. The message body contains the content of the email. The IMF message header displays information in the following fields: TO; CC; BCC; FROM; SUBJECT; and, REPLY TO.58 Analysis of a native email allows one to view the full SMTP and IMF headers:

The following example illustrates a common scenario for the use

of SMTP to transmit an email:

• A user Alice, with email address “[email protected],” uses an email account to

56 Id. 57 Id. 58 Id.


compose a message to another user “Bob” at email address “[email protected]”;

• Alice constructs an IMF message and transfers it via the “sender.com” mail server;

• Reading the “Delivered to” field within the SMTP Envelope Header, the “sender.com” mail server transmits the IMF message to the “receiver.com” mail server;

• Bob accesses his email account to view the contents of the IMF message.

As detailed above, a social engineer’s spoofing of a legitimate email is an attempt to make an email appear as if it came from somewhere or someone other than the actual source. This occurs when the address reflected in the “MAIL FROM” command of the SMTP Envelope Header does not match the “FROM” field within the IMF message.59

In many instances, there is no default mechanism to alert the

recipient of the email that the address reflected in the “MAIL FROM” command of the SMTP Envelope Header does not match the “FROM” field within the IMF message. Such information is not typically displayed because in a spoofed email, the SMTP “MAIL FROM” command identifies the source of the email (i.e., the address which

59 Email Spoofing, https://en.wikipedia.org/wiki/Email_spoofing (last visited June 28, 2016).


actually sent the email) and the IMF “FROM” field can display any email address, even if not the address used to send the email.60

A comparison of the spoofed emails and a genuine email typically demonstrate three differences. First, the spoofed emails normally contain a record indicating that they were created on the sender’s computer using specific script; genuine emails do not contain a record of this script because creation of a genuine email does not normally require a script. Second, the subject emails will identify one address in the SMTP “MAIL FROM” field and another address in the IMF “FROM” field; genuine emails contain the same address in both the SMTP “MAIL FROM” field and the IMF “FROM” field. Third, spoofed emails often originate from free webmail addresses (which are identified in the “REPLY-TO” IMF header); genuine emails do not have a “REPLY-TO” IMF header.

A spoofed email is not a “hacking” because it is created, sent and transmitted from a cyber criminal’s computer, and does not utilize the recipient organization’s computer system to create, send or transmit the email. Similarly, the cyber criminal transmits the spoofed email to the business via a third-party server not owned, operated or utilized by the business. In contrast, a hacking involves the unauthorized inclusion of malware, Trojans, virus, or other malicious code into the organization’s computer system. As such, social engineering schemes utilizing spoofed emails do not involve a hacking or unauthorized intrusion into the business’s computers.

The simplicity of the social engineering scheme is that the cyber criminal need not gain access to or actually use any computer owned, operated or utilized by a business; need not load, insert, implant, or enter any destructive program, virus, malware or operable code into any computer owned, operated or utilized by a business; and need not cause any program or computer contained within or used by a business to be altered or otherwise changed. The cyber criminal need only rely on the inherent human tendencies which allow for manipulation of their actions.

60 Id.; Klensin, supra, note 52; Resnick, supra, note 52.


IV. EVOLVING LANDSCAPE OF COVERAGE AGAINST SOCIAL

ENGINEERING

Social engineering is difficult to prevent because there is no all-encompassing technological defense to these schemes. Therefore, organizations need to educate employees that they cannot rely on the safety of technological defenses, but need to be aware of the risk of social engineering. In order to build defenses against social engineering attacks, organizations must design and implement comprehensive security practices and protocols:61

• Education and awareness: Because companies are composed of various departments, training must be customized to the needs and requirements of each department. Such practices help employees recognize the red flags of a social engineering scheme and handle the attacks effectively.

• Policies, protocols and procedures: Policies and procedures must be clear, concise, and aimed toward mitigating social engineering attacks. Well-defined policies and procedures provide guidelines for employees on how to go about protecting company resources from a potential cyber attack and when to question certain representations.

• Management and employee ownership: It is important that there be a culture in the organization that allows an employee to risk questioning the authenticity of a request or directive. The underlying tenet of a positive corporate culture is that management supports and believes in the protocols to defend against social engineering. For instance, management

61 MITNICK & SIMON, supra note 28 at 238-242.


should never instruct an employee to circumvent a security measure, or punish an employee who complies with the procedures.

• Risk assessment: A risk assessment helps management understand risk factors that may adversely affect the company and track existing and upcoming threats. Determining security risks helps enterprises to build defenses against them.

• Security incident management: When a social engineering event occurs, a company must have a written, comprehensive protocol for managing such incidents. This includes training the IT help desk to track (among other things) the target, their department, and nature of the scheme. Such protocols will enable a company to actively manage the risk of the breach to mitigate potential losses.

Until such safeguards are in place, organizations are increasingly subject to social engineering schemes and losses. When an employee succumbs to such a scheme, an organization may look to recover under its commercial crime policy, specifically the policy’s computer fraud provision.

However, socially engineered losses are not covered under a commercial crime policy because it was not designed to cover social engineering: “[C]rime policies [did] not cover these losses unless the insured’s own employee [was] involved in the scheme.”62 Beginning in 2014, insurers began offering coverage tailored to social engineering schemes.

62 Fraud Advisory: Social Engineering and How to Protect Yourself,

Willis (November 2014), page 1, http://www.willis.com/documents/ publications/industries/Financial_Institutions/20141118_50680_ALERT_Social_Engineering_11_14.pdf.


Despite the option to purchase coverage against social engineering risk, insureds who decline such insurance continue to seek coverage under their commercial crime policy. Such claims are often predicated upon the notion that social engineering schemes constitute: (A) computer crime because they are perpetrated through computers, (B) forgery coverage because the typing of a signature block or email name with the intent to deceive qualifies as a forgery, or (C) funds transfer fraud on the theory that it was induced to transfer funds based upon an email directive. Such claims, however, are generally not covered because these provisions do not respond to losses relating to social engineering schemes, or are specifically excluded.

A. Computer Fraud Coverage

The ISO Computer Fraud Coverage Form (Form F) debuted in 198363—five years before Microsoft released its inaugural Office suite of business software.64 The current version of the insuring agreement provides coverage for specific property, conditions coverage upon the happening of a covered peril, and incorporates the exclusions, definitions, and conditions of coverage. In particular, it provides coverage for

(1) Loss resulting directly from a fraudulent:

(a) Entry of “electronic data” or “computer program” into; or

(b) Change of electronic data or “computer program” within;

Any “computer system” owned, leased or operated by you, provided the fraudulent entry or fraudulent change causes with regard to Paragraphs 6.a(1)(a) or 6.a(1)(b):

63 John J. McDonald, Jr., Joel T. Wiegert & Jason W. Glasgow,

Computer Fraud and Funds Transfer Fraud Coverages, XIV FID. L.J. 109 (2008).

64 “Microsoft Office,” Wikipedia, https://en.wikipedia.org/wiki/ Microsoft_Office.


(i) “Money,” “securities” and “other property” to be transferred, paid or delivered; or

(ii) Your account at a “financial institution” to be debited or deleted.65

These terms preclude an insured from merely alleging a fraud involving a computer to trigger coverage.66 Such a cursory allegation ignores the basic structure of a social engineering scheme, in that it is premised upon false information and manipulation, not the hacking of a computer system. The insured must prove that (1) it was the victim of computer fraud, as that term is defined in the policy, and (2) its loss arose “directly” therefrom.67 It is important to reiterate, though, that social engineering schemes involve the manipulation of employees through misrepresentations contained in emails, they do not involve the use of malware, ransomware, virus, unauthorized use of passwords, or other invasive and technological attacks. As such, social engineering schemes do not trigger the required elements for coverage.

1. Social Engineering Is Not Computer Fraud

An insured faced with a loss may presume that any fraud involving a computer must qualify as a “computer fraud.” While the common law term “fraud” may be broad, a computer fraud provision does not purport to cover every alleged fraud involving a computer. Rather, it requires a “fraudulent entry” or “fraudulent change” to data or a computer program.” “The common definition of the former includes ‘the act of entering’ or ‘the right or privilege of entering, access,’ and the

65 ISO CR 00 23 11 15 (2015). 66 Great Am. Ins. Co. v. AFS/IBEX Fin. Servs., Inc., No. 3:07-CV-924-

0, 2008 U.S. Dist. LEXIS 55532 (N.D. Tex. July 21, 2008). 67 There are additional requirements for the insured to prove, such as

what constitutes a defined “computer system,” but that issue is not a focus of this article. For a discussion on what may constitute a “computer system,” see, generally, McDonald, et al., Computer Fraud and Funds transfer Fraud Coverages, XIV FID. L.J. 109 (2008).


latter means ‘to make different, alter.’”68 Thus, these qualifying terms limit coverage to hacking incidents and preclude coverage for loss arising from the insured’s knowing transfer of funds (even if the transfer was induced by an instruction received electronically through a computer).69

The New York courts’ decisions in Universal American Corp. v. National Union Fire Insurance (both reviewing courts affirmed the initial coverage denial), demonstrate why social engineering losses are not covered. In that case, the insured was a health insurance company which “auto-adjudicated” providers’ claims for payments through a web-based computer system.70 In 2008, the insured discovered that providers had submitted fraudulent claims into its payment system.71 This fraud was perpetrated in several ways: the providers would submit claims for services never performed, they would work in conjunction with patients to submit false claims and then kickback money to the patient, or they would create fake provider identifications and then submit false claims under the imposter provider.72 The insured claims the fraud resulted in the payment of approximately $18 million in false claims.73

The Universal insured submitted a claim and subsequently filed suit claiming coverage under the computer fraud coverage rider to its financial institution bond. Even though the thief’s direct entry of information into the insured’s computer system automatically prompted payments to the thief, the trial court denied coverage because the insuring agreement required proof of a “fraudulent entry:”

The Rider states that it covers “fraudulent entry” of data or computer programs into Universal’s computer system which resulted in a loss. This indicates that coverage is for an unauthorized entry into the system, i.e. by an

68 Universal Am. Corp. v. Nat’l Union Fire Ins. Co., 959 N.Y.S.2d 849

(N.Y. Sup. Ct. 2013), aff’d, 972 N.Y.S.2d 241 (N.Y. App. Div. 2013), aff’d, 25 N.Y.3d 675 (N.Y. 2015).

69 25 N.Y.S.3d 675. 70 959 N.Y.S.2d at 861. 71 Id. 72 Id. 73 Id.


unauthorized user, such as a hacker, or for unauthorized data, e.g. a computer virus.74 Nothing in this clause indicates that coverage was intended where an authorized user utilized the system as intended, i.e., to submit claims, but where the claims themselves were fraudulent.

The trial court disagreed with the insured’s argument that the mere submission of fraudulent claims through a computer was sufficient to warrant coverage. Rather, the court noted that the insured’s “interpretation of the policy would expand coverage to any fraudulent underlying claim that was entered into its system by any user, even by an authorized user.”75

The New York Appellate Division affirmed that analysis. Rejecting the notion that a commercial crime policy covers any loss that happens to arise from the electronic receipt of information, the Appellate Division agreed that the phrase “fraudulent entry” references a hacking of an insured’s computer: “The court correctly found that the unambiguous plain meaning of defendant’s computer systems fraud rider, covering loss from a fraudulent ‘entry of electronic data’ or ‘change of electronic data’ within the insured’s proprietary computer system, was intended to apply to wrongful acts in manipulation of the computer system, i.e., by hackers . . .”76

The New York Court of Appeals affirmed the lower courts’ holdings.77 Focusing on the fact that the term “fraudulent” modified the word “entry,” the court held that the insured could not pursue coverage simply because a thief entered fraudulent information into a computer. The phrase “fraudulent entry,” the court concluded, denoted a hacking of the insured’s computer:78

74 Id. at 864. 75 Id. 76 110 A.D.3d at 434. 77 25 N.Y.S.3d at 675. 78 The Court of Appeals relied on dictionary definitions to reach its

ultimate conclusion that the use of “fraudulent” required proof of a hacking: “The term “fraudulent” is not defined in the Rider, but it refers to deceit and


In the Rider, “fraudulent” modifies “entry” or “change” of electronic data or computer program, meaning it qualifies the act of entering or changing data or a computer program. Thus, the Rider covers losses resulting from a dishonest entry or change of electronic data or computer program, constituting what the parties agree would be “hacking” of the computer system. The Rider’s reference to “fraudulent” does not also qualify what is actually acted upon, namely the “electronic data” or “computer program” itself. The intentional word placement of “fraudulent” before “entry” and “change” manifests the parties’ intent to provide coverage for a violation of the integrity of the computer system through deceitful and dishonest access.79

The Universal analysis has been applied to different factual scenarios. The court in Pestmaster Services, Inc. v. Travelers Casualty and Surety Co., explained why the receipt of fraudulent information (even if it induces an employee to approve a transfer) does not trigger coverage. In that case, the court held that there was no coverage under a computer fraud insuring clause where an insured paid funds based on falsified invoices submitted electronically. Relying in part on Universal, the court held that the insuring agreement applied “‘when someone ‘hacks’ or obtains unauthorized access or entry to a computer in order to make an unauthorized transfer or otherwise uses a computer to fraudulently cause a transfer of funds.”80 The court drew a distinction

dishonesty (see MERRIAM WEBSTER’S COLLEGIATE DICTIONARY [10th ed 1993]). While the Rider also does not define the terms “entry” and “change,” the common definition of the former includes “the act of entering” or “the right or privilege of entering, access,” and the latter means “to make different, alter” (id.). In the Rider, “fraudulent” modifies “entry” or “change” of electronic data or computer program, meaning it qualifies the act of entering or changing data or a computer program.”

79 25 N.Y.S.3d at 675. 80 Id.; Pestmaster Servs. v. Travelers Cas. & Sur. Co., No. C13-5039-

JFW, 2014 U.S. Dist. LEXIS 108416, at *19 (C.D. Cal. July 17, 2014), aff’d, Pestmaster Servs. v. Travelers Cas. & Sur. Co., No. 14-56294, 2016 U.S. App. LEXIS 13829 (9th Cir. July 29, 2016).


between an involuntary transfer and a voluntary transfer induced by fraud:

Therefore, Priority 1’s conduct does not constitute “Computer Fraud” as defined by the Policy because the transfer of funds was at all times authorized and did not involve hacking or any unauthorized entry into a computer system.81

The Ninth Circuit affirmed the Pestmaster district court’s decision, holding that “we interpret the phrase ‘fraudulently cause a transfer’ to require an unauthorized transfer.”82 The court noted that mere use of a computer does not trigger coverage under a computer fraud provision:

When Priority 1 transferred funds pursuant to authorization from Pestmaster, the transfer was not fraudulently caused. Because computers are used in almost every business transaction, reading this provision to cover all transfers that involve both a computer and fraud at some point in the transaction would convert this Crime Policy into a “General Fraud” Policy.83

There is no distinction between banking information in an email and insurance information in an insurance claim. Given that Universal held that an imposter’s direct entry of fraudulent information into a proprietary system with stolen passwords did not trigger coverage, the Pestmaster courts held that transmitting emails was not an entry or change to a computer.84

In light of the holdings in Universal and Pestmaster, insureds may argue that the coverage afforded by the computer fraud provision is illusory. It is not—the District Court of Minnesota recently determined

81 Id. at *20-21. 82 2016 U.S. App. LEXIS 13829, *2. 83 Id. 84 Desoto v. Bd. of Parks & Rec., 64 F. Supp. 3d 1070, 1103 (M.D.

Tenn. 2014); Spam Arrest, LLC v. Replacements, Ltd., No. C12-481RAJ, 2013 U.S. Dist. LEXIS 124820, at *20 (W.D. Wash. Aug. 29, 2013).


what type of hacking event may be covered under the provision.85 In State Bank of Bellingham v. BancInsure, Inc., the insured processed wire transfers through the Federal Reserve’s Fedline Advantage Plus system which was accessed through a Virtual Private Network86 device (a token).87 The Fedline protocol required the insured’s authorized users to enter their user name and three passwords, one of which was provided randomly by the token which had to be inserted into the insured’s computer’s USB port.88 Although not required by Fedline, the wire instructions had to be verified by the entry of a second user name and set of passwords.89

One evening, the insured’s employee processed a wire transfer with her own user name and token and with the user name, passwords, and token of a second employee (in violation of procedures).90 The employee left for the evening without shutting down the computer or removing the tokens. When she arrived the next morning, she discovered that there were two unauthorized wire transfers from her computer to two different banks in Poland.91 A subsequent forensic analysis of the insured’s hard drive revealed that at the time of the unauthorized wire transfers, the insured’s computer system was infected with the “Zeus Virus”, which provided the hackers with unauthorized access to the insured’s computer system and allowed them to access the employee’s computer to effectuate the wire transfer.92 The court noted that it was “undisputed” that these events were covered under the policies computer fraud provision.93 State Bank of Bellingham provides an example of what

85 No. 13-cv-0900, 2014 U.S. Dist. LEXIS 136849 (D. Minn. Sept. 29,

2014), aff’d, 2016 U.S. App. Lexis 9235 (8th Cir. 2016). 86 Hereinafter VPN. 87 No. 12-132, 2013 U.S. Dist. LEXIS 136849 at *6. 88 Id. 89 Id. 90 Id. 91 Id. at *7. 92 Id. at *15-16. 93 Id. at *49-50. The coverage disputes at issue in State Bank of

Bellingham were whether certain exclusions barred coverage and whether the “concurrent causation doctrine” required coverage when the covered peril (the computer fraud) is the “efficient and proximate cause” of the loss as opposed to the excluded peril (the employee’s violation of security protocols).


acts may be covered under a computer fraud provision, those in which a hacking directly results in the unauthorized transfer of funds.94

While neither Universal, Pestmaster, nor State Bank of Bellingham involved a social engineering scheme, the courts’ detailed analysis of the computer fraud language is important because it sets the framework for insurers, insureds, and other courts’ determinations of whether social engineering is covered under this provision. In particular, the courts’ recognition that the provision requires that the insured prove a hacking leads to the logical conclusion that a social engineer scheme premised upon an insured receiving an email containing false information, e.g, incorrect wiring instructions, is not covered because receipt of an email is not a fraudulent entry into the insured’s computer system.

In 2016, an Illinois trial court agreed with this conclusion when applying it to a social engineering scheme.95 In Kraft Chemical Co. v. Federal Insurance Co., the insured, a distributor of chemical productions for manufacturing, alleged that it was fraudulently induced to transfer money based upon spoofed emails misrepresenting a vendor’s bank account information. In particular, during April and May 2013, the insured participated in a legitimate transaction that required the purchase of chemicals from a known Indian chemical vendor to be shipped directly to a client in Ireland.96 The transaction was conducted solely by email between the three parties, using legitimate email addresses. In May 2013, the insured received several emails purportedly from the vendor, informing the insured that it had changed banks and all future wire transfers should be made to the new bank account.97 The insured made the payment to the new bank account and subsequently discovered that the bank account information was fraudulent and that midway through

94 Of course, any such event is subject to the terms, conditions and

exclusions in the policy. 95 Kraft Chem. Co. v. Federal Ins. Co., No. 13 M2 002568, 2016 Ill.

Cir. LEXIS 1 (Ill. Cir. Ct. Jan. 5, 2016). 96 Id. at *10-11. 97 Id.


the transaction it begun corresponding with an imposter using a spoofed email address of the Indian vendor.98

The insured made a claim under its computer fraud provision, which stated, in part:99

Insuring Clause (E): Computer Fraud Coverage

(E) The company shall pay the Parent Organization for direct loss of Money, Securities or Property sustained by an insured resulting from Computer Fraud committed by a Third Party.

Computer Fraud means the unlawful taking of Money, Securities or Property resulting from a Computer Violation.

Computer Violation means an unauthorized:

(A) entry into or deletion of Data from a Computer System;

(B) change to Data elements or program logic of a Computer System, which is kept in machine readable format; or

(C) introduction of instructions, programmatic or otherwise, which propagate themselves through a Computer System,

directly solely against an Organization.

The insured argued that the receipt of the fraudulent wire instructions was covered under this provision because it was conveyed

98 Id. The legitimate vendor email address was [email protected]

while the spoofed email address was [email protected]. As discussed above, Kraft Chemical is an example of a vendor, or man-in-the-middle, social engineering scheme.

99 Id. at *7-8.


by email to the insured’s computer system. The court dismissed this argument, concluding “the plaintiff merely received an email and mere receipt is not an unauthorized entry into its computer system.”100

The trial court based it’s holding on Universal’s analysis that the qualifying word “fraudulent” in a computer fraud provision required the insured to prove that it incurred a hack: “the Universal case clearly equated “fraudulent entry” with “unauthorized access.”101 The court further noted it was:

The gravamen of Plaintiff’s allegations giving rise to the purported fraud emanate from the transmission of an email containing a fraudulent address from the sender. As a matter of law, this without more cannot constitute computer fraud pursuant to the Policy. There are no facts developed in the record to indicate that receipt of an email is an “unauthorized access or entry into Plaintiff’s system.” . . . There is no applicable authority in support either. The Court is convinced that to trigger coverage under the Policy, it requires more than just the use of fraudulent information . . . .102

Kraft Chemical is important in the canon of social engineering case law because it affirmed the insured’s burden of proving that it sustained a hacking, and the receipt of an email containing fraudulent information is not proof of a hacking.103 The court reached this conclusion because “this Court is convinced by [the insurer’s] authority that the mere sending of an email is not an unauthorized entry or change therein to a computer system.”104

100 Kraft Chemical, 2016 Ill. Cir. LEXIS 1, at *11. 101 Id. at *18-20. 102 Id. at *16. 103 Id. The court further held that the voluntary transfer of funds was

not a direct loss. 104 Id. at *15, See, e.g., Pestmaster, 2014 U.S. Dist. LEXIS 108416;

Pinnacle Processing Grp., Inc. v. Hartford Cas. Ins. Co., No. C10-1126-RSM, 2011 U.S. Dist. LEXIS 128203 (W.D. Wash. Nov. 4, 2011); Brightpoint, Inc. v.


The sending of an email cannot satisfy the insured’s burden of proving a hacking because email accounts are an open repository.105 A third party is, therefore, free to transmit emails to the insured, and their doing so is not an unauthorized or fraudulent entry into the insured’s computer system. It is notable that the insured’s computer expert in Kraft Chemical agreed with this premise:

Q. The receipt of an e-mail is not an unauthorized access of a computer system, correct?

A. Correct.106

Thus, creating fraudulent emails through a foreign computer does not trigger coverage under the computer fraud provision. Kraft Chemical’s holding is consistent with the analysis by other courts.107

For instance, the Sixth Circuit in Pulte Homes, Inc. v. Laborers’ International Union of North America held that transmitting email, even if sent with malicious intent, is not an “access” to a computer.108 The district court initially denied the insured’s claim because it offered “no authority supporting its contention that one accesses another’s computer [by] . . . sending an e-mail.”109 The Sixth Circuit agreed with the district court:

LIUNA used unprotected public communications systems, which defeats Pulte’s allegation that LIUNA accessed its computers ‘without authorization.’ Pulte allows all members of the public to contact its offices and executives: it does not allege, for example, that LIUNA, or anyone else, needs a password or code to call

Zurich Am. Ins. Co., No. 1:04-CV-2085-SEB-JPG, 2006 U.S. Dist. LEXIS 26018 (S.D. Ind. Mar. 10, 2006).

105 Spoofing does not require hacking. Spoofing, according to Gmail, “means faking the return address on outgoing mail to hide the true origin of the message.” https://support.google.com/mail/answer/50200?hl=en.

106 Kraft Chemical, 2016 Ill. Cir. LEXIS 1, at *11-13. 107 Id. 108 648 F.3d 295 (6th Cir. 2011). 109 No. 09-13638, 2010 U.S. Dist. LEXIS 46416, at *11 (E.D. Mich.

May 12, 2010).


or e-mail its business. Rather, like an unprotected website, Pulte’s phone and e-mail systems were open to the public, so LIUNA was authorized to use them.110

In summary, sending an email, even if it contained fraudulent information, does not amount to a “fraudulent” or “unauthorized” entry into an insured’s computer system.111

While sending a spoofed email may be a fraud, the computer fraud provision does not purport to cover every fraud involving a computer. It covers a specific peril—hacking. The success of social engineering schemes is premised upon an employee acting on misrepresentations or fraudulent information contained in emails—it is not a technological attack on an insured’s computer system. Therefore, social engineering schemes do not qualify for coverage under computer fraud provisions because they do not satisfy the insureds’ burden of proving a fraudulent or unauthorized entry into a computer system. An insured cannot circumvent that element of its claim by characterizing, without any evidence or authority, every email containing fraudulent information as an entry into its computer.

2. Voluntary Transfers Do Not Result Directly from Computer Fraud

Many social engineering claims do not involve the fraudulent withdrawal of funds from the insured’s account, but instead involve an authorized withdrawal induced by fraud.112 Loss from such transactions are outside the scope of coverage afforded by a computer fraud provision

110 648 F.3d at 304 (internal citations omitted). 111 See, e.g., Spam Arrest, LLC v. Replacements, Ltd., No. C12-

481RAJ, 2013 U.S. Dist. LEXIS 124820, at *68 (W.D. Wash. Aug. 29, 2013) (“no Ninth Circuit court has ever held that the mere act of sending an email constitutes access to a computer through which the email passes on the way to its recipient.”); Intel Corp. v. Hamidi, 71 P. 3d 296, 304 (Cal. 2003) (“the mere sending of electronic communications that assertedly cause injury only because of their contents” does not constitute “an actionable trespass to a computer system through which messages are transmitted”).

112 Pinnacle Processing, 2011 U.S. Dist. LEXIS 128203 (rejecting the insured’s contention that computer fraud coverage is implicated simply because a computer was used in the scheme).


because they do not arise “directly” from “the use of any computer to fraudulently cause a transfer of that property;” they arise from an authorized transfer of funds.113

These types of claims are analogous to forgery claims under Insuring Agreement D and Insuring Agreement E of a Standard Form No. 24 Financial Institution Bonds. Those insuring agreements, like the computer fraud provision, require proof of a nexus between the covered peril and the loss. Where the insured cannot establish such a nexus, courts have declined coverage and granted summary judgment for the insurer.114

The decision in Valley Community Bank v. Progressive Casualty Insurance Co., illustrates the point. In that case, the bank alleged that it extended credit in reliance on forged documents. However, the underlying loan agreements were not forged. The claim was predicated upon the fact that the disbursement request was forged. The insurer denied coverage, arguing that the claimed loss did not result directly from a forgery. The insured argued that the loss resulted directly from the forgery because the forged document induced it to advance the loan proceeds. The district court rejected that argument:

The forgery on the ACA is at best a cause in fact, not the predominant or proximate cause as Garvey requires. While Plaintiff argues that but for the forgery on the ACA, no ACA would have been submitted to Plaintiff and consequently the loan would not have been made, it is also true that but for Del Biaggio’s misrepresentation

113 Brightpoint, Inc. v. Zurich Am. Ins. Co., No. 1:04-CV-2085-SEB-

JPG, 2006 U.S. Dist. LEXIS 26018 (S.D. Ind. Mar. 10, 2006). 114 See, e.g., Valley Cmty. Bank v. Progressive Cas. Ins. Co., 854 F.

Supp. 2d 697 (N.D. Cal. 2012); KW Bancshares v. Syndicates of Underwriters at Lloyd’s, 965 F. Supp. 1047 (W.D. Tenn. 1997) (extension of credit based upon a forged letter that purportedly confirmed the borrower’s entitlement to a bonus did not cause loss because borrower not entitled to bonus); French Am. v. Flota Mercante Grancolombiana, S.A., 752 F. Supp. 83 (S.D.N.Y. 1990) (extension of credit against forged bill of lading not covered because lack of collateral, not forgery, caused the loss); Liberty Nat’l Bank v. Aetna Life & Cas. Co., 568 F. Supp. 850, 866 (D.N.J. 1983) (loan induced by forged CD not covered because lack of collateral, not forgery, caused the loss.).


the loan would not have been made. There are, as is typically the case, a number of causes in fact. The issue is which is the predominant or proximate cause. The ACA was merely an instrument among many others which were needed to document the loan. . .115

While Valley involved a forgery claim, it is nonetheless analogous to a computer crime claim; both types of claims arise from a fraudulent instruction. Valley held that the mere fact that the disbursement request was an instrumentality used to perpetrate the fraud did not establish direct causation. Rather, the direct cause of the loss was the false representations used to induce approval of the loans. The insured has, upon receipt of an instruction, the choice to take immediate action, conduct an analysis of the instruction or decline the instruction. That decision-making process breaks any causal nexus and demonstrates that the loss arose from an authorized transfer of funds.

The decision in Brightpoint, Inc. v. Zurich American Insurance Co. illustrates the point.116 That case arose from the theft of nearly $1.5 million through a scam involving prepaid telephone cards. The insured’s subsidiary was a wholesale distributor of prepaid mobile telephone cards. As was its customary practice, the insured received a faxed purchase order from one of its regular prepaid phone card dealers. Along with the faxed purchase order, the insured would accept a post-dated check from the dealer and, in addition, would require the dealer to provide a bank guarantee certifying the sufficiency of the funds in the dealer’s account and committing the bank to honoring the post-dated check when it was presented on the maturity date. The dealer normally sent copies of the post-dated checks, guaranties, and purchase orders to the insured by facsimile. The insured would then purchase the phone cards from a telecom company and deliver them to the dealer in exchange for the original check, guaranty, and purchase order.117

On two occasions the insured received, by facsimile, purchase orders, post-dated checks, and guaranties thought to be from the dealer.

115 854 F. Supp. 2d at 710. 116 No. 04-cv-2085, 2006 U.S. Dist. LEXIS 26018 (S.D. Ind. Mar. 10,

2016); see also, Pestmaster, 2014 U.S. Dist. LEXIS 108416. 117 Id.


After receiving the faxed orders, the insured sent a representative to the telecom company from which it purchased the phone cards to be distributed to the dealer. After leaving the telecom company’s building, the insured’s representative then met with a known employee of the dealer who had, in fact, been present at previous exchanges. The dealer’s purported employee delivered to the insured the original copy of the post-dated check and bank guarantee in exchange for the $1.5 million worth of prepaid phone cards.

A few days after the exchange, the dealer met with the insured to advise that it had not authorized issuing the purchase order, denied authorizing the bank to issue the guaranties, and denied authorizing its employee to pick up the cards. Ultimately, the phone cards were never recovered, and the insured never received payment for the stolen cards.

The insured subsequently made claim under the computer fraud provision of its commercial crime policy, arguing that the computer fraud was carried out by a fraudulent facsimile purchase order and that the fax machine constituted the use of a computer.118 The insurer focused on the direct loss requirement and contended that the facsimile transmission did not “fraudulently” cause a transfer of the phone cards, as required under the computer fraud definition. Rather, the insurer argued that the fraudulent facsimile simply alerted the insured to an order. Based on the insured’s established practices, it would not have exchanged the phone cards simply on the basis of the facsimile itself. It was only after the insured received the physical documents that it would release the cards. Therefore, the insurer argued, the fraud was carried out through the use of unauthorized checks and guaranties and was not directly or proximately caused by the use of a computer.

The insured argued that the policy only required that the theft follow and be directly related to the use of a computer. Because the policy did not contain a modifier such as “proximate cause,” the insured argued all that was required by the policy was the use of a computer followed by a theft that was in some way connected to that initial use of the computer. The court rejected the insured’s interpretation of the term

118 Brightpoint, 2006 U.S. Dist. LEXIS 26018, at *2; McDonald, et al., Computer Fraud and Funds Transfer Fraud Coverages, XIV FID. L.J. 109 (2008).


“directly related” and found that the insured’s loss did not flow immediately from the use of the facsimile machine. The court stated that “directly” was defined “in a straight line or court” and “immediately.”119 The court held that the insured’s admission that it followed its established procedures after receiving the facsimile, was an intervening event.120 Therefore, the Brightpoint court held that intervening events or circumstances became the direct, proximate, predominate, and immediate cause of the insured’s loss.121

The district court in Pestmaster reached the same conclusion as Brightpoint. In that case, the insured voluntarily transferred funds to a third-party, but claimed that its loss was nonetheless covered under a computer crime policy because it was induced to transfer the funds based upon information conveyed through a computer. The district court rejected that argument, holding that the policy was only intended to cover a hacking incident, not a voluntary transfer of funds:

As discussed above, “Computer Fraud” means “use of any computer to fraudulently cause a transfer of Money, Securities, or Other Property from inside the Premises or Banking Premises” to a person or place out-side the Premises or Banking Premises. In other words, “Computer Fraud” occurs when someone “hacks” or obtains unauthorized access or entry to a computer in order to make an unauthorized transfer or otherwise uses a computer to fraudulently cause a transfer of funds.122

The court drew a distinction between an involuntary transfer and a voluntary transfer induced by fraud:

However, there is an important distinction between “fraudulently causing a transfer,” as “Computer Fraud” is described in the Policy, and Pestmaster’s interpretation of “Computer Fraud” as “causing a fraudulent transfer.” . . . In this case, it is undisputed that

119 Id. at *20. 120 Id. at *19. 121 Id. 122 Pestmaster, 2014 U.S. Dist. LEXIS 108416, at *19.


Pestmaster authorized Priority 1 to initiate ACH transfers from its account to Priority 1’s account so that Priority 1 could pay Pestmaster’s payroll and payroll taxes. In its Opposition, Pestmaster does not argue—nor could it—that Priority 1 was an unauthorized user or hacker or that Priority 1 somehow subverted Pestmaster’s computer in the actual transfer of funds into Priority 1’s account. It is also undisputed that after the transfer of the funds was completed, Priority 1 used the money to pay its own obligations rather than to pay Pestmaster’s obligations as required by their agreement. However, Priority 1’s fraudulent conduct occurred only after the authorized transfer had been completed and the money was transferred to Priority 1’s account pursuant to its agreement with Pestmaster.123

The court in Kraft Chemical applied these holdings to a social engineering scheme.124 After receiving the spoofed vendor emails containing the fraudulent bank information, the insured followed its procedures and processed the wire transfer by an employee logging onto the insured’s bank’s website and then a second employee, the insured’s CFO, logging onto the website to review, approve and release the wire transfer. The court characterized this sequence as “the undisputed record indicates that while [the insured’s] claim is premised on the receipt of fraudulent emails, the emails did not cause the transfer of funds; rather the transfer was knowingly effectuated by [the insured’s] employees.”125

Because the transfer was knowingly authorized by the insured’s employees, the court held that it was not a direct loss as required by the

123 Id. at *20-21; affirmed, 2016 U.S. App. LEXIS 13829, *2 (“we

interpret the phrase ‘fraudulently cause a transfer’ to require an unauthorized transfer of funds.”).

124 Kraft Chemical, 2016 Ill. Cir. LEXIS 1, at *24-27; see also, Taylor and Lieberman v. Federal Ins. Co., No. 14-cv-3608, 2015 U.S. Dist. LEXIS 79358, at *10 (C.D. Cal. June 18, 2015) (“a common use interpretation of direct loss provides that a loss is not direct unless it follows immediately and without intervening space, time, agency, or instrumentality.”).

125 Id. at *24.


computer fraud provision.126 The court’s determination that the word “direct” in the provision, required that the insured prove that the loss was directly, not proximately caused by the fraudulent information in the spoofed vendor email:

The transfers in the case subjudice did not occur “immediately” after the hacking of [the vendor’s] computer or the receipt of the subject emails. The transfers occurred a week later after [the insured’s] employees completed an accounting process and approved the transfer of funds. Additionally, it is noteworthy that in Tooling, the 6th Circuit noted that Illinois adopts the “direct is direct” analysis rather than the broader “proximate cause” analysis . . .127

Insureds confronted with a loss due to social engineering are faced with a difficult hurdle of proving coverage because the false information conveyed in a spoofed email does not directly cause a wire transfer. Rather, the false information is then acted upon by an organization’s employees who had the opportunity to verify the information before acting upon it. It is the acts of the employees and organization that intervene with the alleged direct nature of the social engineering scheme.

3. Insureds May Rely Upon Anomalous Case Law

The unambiguous language of the standard computer fraud provision requires that the insured prove a hacking—as opposed to just showing that it received false information in an email—and that it sustained a direct loss of funds. As opposed, for example, to the employees knowingly effectuating a wire transfer. However, there are two anomalies in the emerging case law considering social engineering schemes.128

126 Id. at *26-27 (citing Tooling, Manufacturing & Technologies Ass’n

v. Hartford Fire Ins. Co., 693 F.3d 665 (6th Cir. 2012)). 127 Id. at *27. 128 Owens, Schine & Nicola, P.C. v. Travelers Cas. & Sur. Co. of Am.,

No. CV-095024601, 2010 Conn. Super. Ct. LEXIS 2386 (Conn. Super. Ct.


An insured may argue that the decision in Owens, Schine & Nicola, P.C. v. Travelers Cas. & Surety Co. of America129 mandates coverage when an insured subsequently acts on fraudulent information. In Owens, the thief used emails to induce the insured to cash a fraudulent check. The insured sought coverage under the policy’s computer fraud provision which covered “direct loss of, or your direct loss from damage to, Money, Securities and Other Property directly caused by Computer Fraud.”130 The provision defined “computer fraud” as “the use of any computer to fraudulently cause a transfer of Money, Securities or Other Property from inside the Premises or Banking Premises . . . .”131

The court found coverage because it incorrectly concluded that the insured need only prove that the use of any computer proximately caused the claimed loss. Since the court concluded that the insured had established that the emails facilitated the fraud, it concluded that the use of a computer was the proximate cause of the loss:

Owens argues that it fell victim to a fraud which was committed by the use of emails to induce Owens to wire the monetary funds from its IOLTA account to a bank in South Korea. The e-mails were the proximate cause and “efficient cause” of Owens’ loss because the e-mails set the chain of events in motion that led to the entire loss.132

Thus, the Owens trial court held that under that policy language, the receipt of fraudulent information was covered under the computer fraud provision even though there was no hacking of the insured’s computer system and the insured’s employees knowingly effectuated the wire transfer.133

Sept. 17, 2010); Apache Corp. v. Great Am. Ins. Co., No. 4:14-CV-237, 2015 U.S. Dist. LEXIS 161683 (S.D. Tex. Aug. 7, 2015).

129 Id. 130 Id. at *9-10. 131 Id. 132 Id. at *22. 133 Owens is of questionable value because the decision was

subsequently vacated by the agreement of the parties.


Similarly, the insured in Apache Corp. v. Great American Insurance Company was confronted with a social engineering scheme when an employee received an email attaching a fraudulent letter that appeared to be from one of the insured’s vendors.134 The policy at issue provided coverage for loss “resulting directly from the use of any computer to fraudulently cause a transfer.”135 As with Owens, the Apache court ruled that the fact that the fraudulent letter was sent via email triggered coverage.136 The court incorrectly applied a broad causation standard, and held that all the insured needed to show to prove coverage was that the email was a “cause in fact,” or “substantial factor” in bringing about the loss.137

The Owens and Apache decisions are oddities in the compendium of computer fraud case law because they relied entirely upon the application of a proximate causation standard, in lieu of the direct causation standard incorporated into standard form commercial crime policies.138 The analogy of direct causation to proximate causation represents a minority view rejected by the vast majority of courts throughout the United States. Applying a dictionary definition of “directly,” the weight of the authority defines “directly” as meaning “immediate” and adopts the “direct is direct” approach.139 A few courts applied the proximate cause approach, but only in states that permit an

134 2015 U.S. Dist. LEXIS 161683, *6. 135 Id. at *2. 136 As of the publication date of this article, the insurer’s appeal of the

Apache court’s decision is pending in the Fifth Circuit, No. 15-20499. 137 Id. at *7-8. 138 The New York Court of Appeals in Universal commented that “the

Owens decision is of little assistance” to the insured’s claim under that policy. Universal, 25 N.Y.3d at 675.

139 See, e.g., Tooling, 693 F.3d 665; Vons Cos., Inc. v. Fed. Ins. Co., 212 F.3d 489, 492-93 (9th Cir. 2000); Lynch Props., Inc. v. Potomac Ins. Co., 140 F.3d 622, 629 (5th Cir. 1998), aff’d, 962 F. Supp. 956 (N.D. Tex. 1996); Direct Mortg. Corp. v. Nat’l Union Fire Ins. Co., 625 F. Supp. 2d 1171, 1174-76 (D. Utah 2008); Georgia, Citizens Bank & Trust Co. v. St. Paul Mercury Ins. Co., No. CV305-167, 2007 U.S. Dist. LEXIS 96529, at *10-13 (S.D. Ga. Sept. 14, 2007); Armbrust Int’l, Ltd. v. Travelers Cas. & Sur. Co. of Am., No. CA04-212ML, 2006 U.S. Dist. LEXIS 25640, at *5-6, *23-27 (D.R.I. May 1, 2006); Fireman’s Fund Ins. Co. v. Special Olympics Int’l, Inc., 249 F. Supp. 2d 19, 27 (D. Mass. 2003).


insured to import tort principles into contracts.140 The majority of courts141 reject that approach: “Insurance coverage cases are not concerned with the philosophical social-duty underpinnings of tort law. The action sounds in contract, and [the court’s] task is to interpret the parties’ agreement.”142

The decision in RBC Mortgage Co. explains why courts cannot import a proximate causation analysis into a computer fraud provision. In that case, the insured argued that a financial institution bond covered its liability to a third-party because its liability was proximately caused by employee dishonesty. Recognizing that the bond was intended to adopt a stricter causation standard, the Illinois Appellate Court rejected that argument:

The proximate cause analysis simply is too broad to capture accurately the intent behind the phrase “‘loss resulting directly from . . . To equate ‘loss resulting directly from’ with ‘loss proximately caused by’ requires a strained reading of ‘direct loss,’ which is a much narrower concept than ‘proximately caused loss.’”143

The Sixth Circuit Court considered the split of authority on this issue in Tooling, Manufacturing & Technologies Association v. Hartford Fire Insurance Co.144 After reviewing the existing authority addressing this issue, the court rejected the argument that “direct loss” equates to

140 Retail Ventures, Inc. v. Nat’l Union Fire Ins. Co., 691 F.3d 821 (6th Cir. 2012); Scirex Corp. v. Federal Ins. Co., 313 F.3d 841, 848-50 (3d Cir. 2002); First Nat’l Bank of Louisville v. Lustig, 961 F.2d 1162, 1167-68 (5th Cir. 1992); Graybar Elec. Co., Inc. v. Fed. Ins. Co., 567 F. Supp. 2d 1116, 1127 (E.D. Mo. 2008); Frontline Processing Corp. v. Am. Econ. Ins. Co., 149 P.3d 906, 911 (Mt. 2006); Auto Lenders Acceptance Corp. v. Gentilini Ford, Inc., 854 A.2d 378, 385-87 (N.J. 2004).

141 RBC Mortg. Co. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 812 N.E.2d 728, 733 (Ill. App. Ct. 2004); Tri City Nat’l Bank, 268 Wis. 2d at 802-03.

142 First State Bank v. Ohio Cas. Ins. Co., 555 F.3d 564, 570 (7th Cir. 2009).

143 RBC Mortgage, 812 N.E.2d at 736; see also Tri City Nat’l Bank v. Fed. Ins. Co., 268 Wis. 2d at 802-03 (Wis. Ct. App. 2003).

144 693 F.3d 665 (6th Cir. 2012).


proximate causation: “By claiming that it was ‘inevitable’ and ‘inescapable’ that it would suffer a loss due to Tyler’s actions, the TMTA is essentially arguing that we should apply the ‘proximate cause’ definition for ‘directly.’ We decline to do so because we find the ‘direct is direct’ approach more persuasive.”145

Brightpoint, Pestmaster, and Kraft Chemical demonstrate the true intent of the computer fraud insuring agreement (to cover hacking incidents) and why loss resulting from the insured’s conscious decision to proceed with a business transaction, even if induced by a computer submission, is not covered.146

B. Funds Transfer Fraud Coverage

While the funds transfer fraud coverage is often written along with computer fraud coverage,147 the two insuring agreements have separate burdens of proof and protect against separate risks.148 While the computer fraud insuring agreement is designed to cover a hacking incident, the funds transfer fraud insuring agreement is designed to cover the limited instances where an imposter induces a financial institution to withdraw funds from the insured’s account by posing as the insured and submitting fraudulent instructions. However, neither insuring agreement covers a social engineering scheme.

A typical example of the coverage afforded by the Funds Transfer Fraud Coverage is as follows:

Funds Transfer Fraud: We will pay you for your direct loss of Money and Securities contained in your Transfer

145 Id. at 676. 146 Cumberland Packing Corp. v. Chubb Ins. Corp., 958 N.Y.S.2d 306

(N.Y. Sup. Ct. 2010) (holding that there was no coverage under a Funds Transfer Fraud Insuring Agreement for an insured’s losses that occurred after it voluntarily wire transferred funds to Bernie Madoff for investment purposes).

147 John J. McDonald, Jr., Daniel L. Payne, Kerry M. Evensen & Eric Emmette, Unique Issues With Special Cases: Computer and Funds Transfer Fraud, Inventory Losses, and Loan Losses, http://litigationconferences.com/wp-content/uploads/2009/12/McDonald.pdf (last visited June 28, 2016).

148 Id.


Account on deposit at a Financial Institution directly caused by Funds Transfer Fraud.

“Funds Transfer Fraud” is defined to mean

1. an electronic, telegraphic, cable, teletype or telephone instruction fraudulently transmitted to a Financial Institution directing such institution to debit your Transfer Account and to transfer, pay or deliver Money or Securities from your Transfer Account which instruction purports to have been transmitted by you, but was in fact fraudulently transmitted by someone other than you without your knowledge or consent;

2. a fraudulent written instruction, other than one covered under Insuring Agreement B., issued to a Financial Institution directing such Financial Institution to debit a Transfer Account and to transfer, pay or deliver Money or Securities from such Transfer Account by use of an electronic funds transfer system at specified intervals or under specified conditions which written instruction purports to have been issued by you but was in fact fraudulently issued, Forged or altered by someone other than you without your knowledge or consent; or

3. an electronic, telegraphic, cable, teletype, telefacsimile, telephone or written instruction initially received by you which purports to have been transmitted by an Employee, but which was in fact fraudulently transmitted by someone else without your or the Employee’s consent.149

This definition requires that the insured prove (1) that the instructions to debit money out of the account be “fraudulent”; (2) that the instructions “purport” to have been authorized by an Insured; and,

149 McDonald, Wiegert & Glasgow, supra note 63 at 115.


(3) that the instruction must be fraudulently transmitted, issued, forged or altered. The insuring agreement will not, therefore, respond where an employee authorizes a withdrawal.150 The “purport” to have been authorized language makes coverage applicable only where an unauthorized “imposter” issues the debit instruction(s).151 The limited case law interpreting this provision demonstrates that it does not cover social engineering.

In Morgan Stanley Dean Witter & Co. v. Chubb Insurance Co., the insured agreed to provide custodial services for property owned or held by a client. According to the custodial services agreement between them, the insured could only respond to instructions from specifically authorized persons.152 In order to facilitate the instructions, the insured provided client with computer software allowing access to the insured’s computer programs. The client subsequently entered into an agreement to manage a third-party’s investments, and opened an account which was subject to the custodial services agreement between the two parties.153

After the third-party was subsequently sold, the client was ordered to cease all trading on its behalf; however, the insured was not informed that the authorization was revoked.154 Despite the lack of authority, the client then ordered the insured to liquidate the accounts and transfer the third-party funds to the client’s bank accounts. The transactions were accomplished through instructions sent by computer,

150 Black’s Law Dictionary defines a “fraudulent act” as “[c]onduct

involving bad faith, dishonesty, a lack of integrity, or moral turpitude.” BLACK’S LAW DICTIONARY 687 (8th ed. 1990). This definition requires proof of an intent to deceive: “mere irregularities committed without such intent do not constitute acts of fraud or dishonesty.” 13 COUCH ON INSURANCE 2d § 46:55.

151 Federal Credit Union v. FinSecure, LLC, No. 13-6399, 2014 U.S. Dist. LEXIS 49596 (E.D. Pa. Apr. 9, 2014); Morgan Stanley Dean Witter & Co. v. Chubb, No. A-4124-03T2, 2005 N.J. Super. Unpub. LEXIS 798 (N.J. App. Div. Dec. 2, 2005); Northside Bank v. American Cas. Co. of Reading, No. GD 97-19482, 2001 LEXIS 335 (Pa. Commw. Pl. Jan. 10, 2001).

152 2005 N.J. Super. Unpub. LEXIS 798 at *7-10. 153 Id. 154 Id.


fax, and voice to the insured by persons who were specifically authorized by the client.155

The insured subsequently made a claim under its funds transfer fraud provision because the loss was allegedly a result of fraudulent instructions communicated by voice, fax, and computer. That provision provided coverage for:

fraudulent Fax transfer instructions . . . [that] fraudulently purports to have been made by a customer or other authorized representative but which Fax transfer instructions were not made by the customer or other authorized person.

The court granted summary judgment to the insurer on this insuring agreement because the policy “limits coverage unambiguously to situations were an unauthorized person poses as a customer or other authorized person to issue the fraudulent transfer instructions—the so-called ‘imposter coverage.’”156 Because the insured executed an agreement with the client permitting the insured to trade pursuant to instructions from authorized employees of client, the court found there was no fraud by an imposter.

In Northside Bank v. American Casualty Co. of Reading, the insured opened an account for its client-merchant pursuant to a merchant services agreement.157 Pursuant to the agreement the client-merchant would accept orders for merchandise by debit and credit card payments. Upon receipt of electronically transmitted debit and credit card authorizations from the client-merchant, the insured would then transfer money into the client-merchant’s account. However, it turned out that the client-merchant never actually delivered the purchased merchandise to its customers. When the client-merchant’s customers exercised their rights under federal law to rescind their debit and credit card payments for the undelivered goods, the creditors refused to pay, or charged back the amounts they had paid to, the insured. When the insured similarly

155 Id. 156 Id. 157 2001 Pa. Dist. & Cnty. Dec. LEXIS 335, at *2 (Pa. Commw. Pl.

Jan. 10, 2001)


attempted to charge back the client-merchant’s account, it discovered that the account had been completely depleted.

The insured sought coverage under its funds transfer fraud insuring agreement for what it deemed to be fraudulent electronic fund transfers and computer crimes. The insured argued that the loss was covered because the submission from the client-merchant was an electronic instruction and the subsequent failure to ship the merchandise should be viewed as a “modification” or “alteration” of the electronic instruction with the intent to deceive. The court held the electronic instructions sent from the client-merchant were never modified or altered but were paid according to the intended instruction and found the insured’s claim to be at odds with the “obvious intent of the insurance policy.”158 Northside Bank found that the purpose of the funds transfers coverage was to protect the insured from an imposter, whereas the instruction at issue in the case was sent to the bank unaltered which was not the type of risk contemplated by the coverage.

The funds transfer fraud insuring agreement does not cover every transfer induced by fraud. It requires proof that someone impersonated the insured by requiring a fraudulent instruction “without [the insured’s] knowledge or consent.” The phrase “without . . . knowledge or consent” distinguishes involuntary transactions by an imposter from fraudulently-caused voluntary transfers. In social engineering schemes, the insured’s authorized signatory voluntarily executes the wire transfer (even if based upon a misrepresentation). Thus, the insuring agreement does not apply.159

Cumberland Packing Corp. v. Chubb Insurance Corp. explains the flaw in submitting a social engineering loss under the funds transfer fraud insuring agreement.160 In that case, an insured that invested money with Bernie Madoff sought coverage under its commercial crime policy on the theory that Madoff stole money by transferring money from its

158 2001 Pa. D&C LEXIS 273 at *7. 159 Pestmaster, 2014 U.S. Dist. LEXIS 108416, aff’d, 2016 U.S. App.

LEXIS 13829, *2 (“we agree that there is no coverage under this clause when the transfers were expressly authorized.”); Northside Bank, 60 Pa. D. & C. 4th 95, 101-102.

160 58 N.Y.S.2d 306 (N.Y. Sup. Ct. 2010).


account.161 The insured, however, granted Madoff authority to transfer money from the account. Although Madoff transferred money as part of a fraud and Madoff induced the insured into granting him authority to withdraw money, the court held that the funds transfer fraud insuring agreement did not apply because Madoff was authorized to transfer the funds. That Madoff misused his authority and transferred money for personal gain did not trigger coverage.162

Social engineering schemes normally involve employees who knowingly initiated and executed the claimed wire transfer. Indeed, the insureds’ employees will often follow the organization’s procedures by obtaining approval to process a funds transfer and then fulfilling that authorization by creating and releasing the wire transfer.163 An insured may challenge this analysis by arguing that the wire transfer was induced by fraud and could not be with knowledge and consent.164 However, this argument ignores the fact that the typical social engineering scheme does not involve an altered, manipulated, or forged wiring instruction; rather, the social engineer’s technique of impersonation and misrepresentation is directed at the employee with the goal of convincing the employee to process an authorized wire transfer (even though it is directed to the imposter’s bank account).

Cumberland is persuasive to this analysis because that case held that a transfer approved by a thief was not covered because the insured is charged with knowledge of transfers approved by an agent. If that rule applies to a thief, it applies with greater force to an allegedly innocent employee who, acting within their authority, approves a wire transfer. There is no legal justification for why an insured is not charged with knowledge of a transfer disclosed to its employees and executed by its

161 Id. 162 Id.; Pestmaster, 2014 U.S. Dist. LEXIS 108416 at *6-7 (transfer

induced by misrepresentation not covered). 163 See, e.g., Kraft Chemical, 2016 Ill. Cir. LEXIS 1, at *27. 164 Insureds may attempt to distinguish Cumberland on the theory that

the policy at issue in that case included an authorized representative exclusion. The discussion of the exclusion is immaterial because the holding is based upon the funds transfer fraud insuring clause: “In any event, the facts of the loss do not comport with the definitions of coverage under . . . Funds Transfer Fraud.” 958 N.Y.S.2d at 306.


authorized signatories. Such transfers are in fact issued by the insured (not purportedly issued by the insured) and thus, do not qualify for coverage under a funds transfer fraud provision.

C. Forgery Coverage

Some insureds argue that social engineering schemes trigger forgery coverage on the theory that typing a name in an email qualifies as a forgery. This theory ignores the terms of the forgery insuring agreement, which conditions coverage upon proof of

Loss resulting directly from “forgery” or alteration of checks, drafts, promissory notes, or similar written promises, orders or directions to pay a sum certain in “money” that are

(1) Made or drawn upon or drawn upon you; or

(2) Made or drawn by one acting as your agent or that are purported to have been so made or drawn . . .165

Social engineering schemes166 do not trigger these elements because: (1) emails do not contain a signature and thus, do not bear a defined forgery and (2) emails do not a qualify document because they do not contain a promise to pay.

1. A Typed Name by an Unidentified Sender Is Not a Forgery

Although an insured may bear a substantial risk of exposure from social engineering, the forgery provision limits coverage to losses resulting directly from forgery or alteration. A typical definition for forgery is the “signing of the name of another person or organization with the intent to deceive.” This definition usually provides that forgery does not mean “a signature which consists in whole or in part of one’s

165 ISO CR 00 23 08 13 (2012). 166 At the time of publication, there were no reported decisions

analyzing whether a social engineering scheme is covered under the forgery provision.


own name signed with or without authority, in any capacity, for any purpose.”

The court analyzed this definition in French American Banking Corp. v. Flota Mercant Grancolumbiana S.A.167 In that case, the insured issued loans in reliance on invoices containing unknown and unauthorized signatures. The court held that, under the bond’s definition of forgery, the signing of one’s own name, even without authority, did not constitute a forgery.

[The insured’s] reliance on [Filor] for the proposition that the definition of forgery under New York law is ambiguous, and therefore the term “forgery” as used in the Bond must be construed against [the insurer], is misplaced. That case held that “forgery” in a broker’s blanket bond was ambiguous. The Second Circuit then construed that term against the insurer and found an unauthorized signature to constitute a “forged” signature. The Second Circuit hinged its finding of ambiguity on a revision to the New York penal law in 1967 that expanded the definition of forgery to include “writings unauthentic because not authorized.” [citation omitted] However, [Filor] involved bonds that did not define forgery. Here, the Bond expressly provides that forgery “does not include signing one’s own name with or without authority, in any capacity, for any purpose.”168

The fact that the documents were used to perpetrate a fraud does not itself prove a forgery.169 The Eastern District of New York recognized this principal in Suffolk Federal Credit Union v. CUMIS Insurance Society Inc., holding that counterfeit assignments neither bore a forgery nor were altered since it was “undisputed” that the employees of the loan servicer signed their own names on the assignments.170

167 French Am. Banking, 752 F. Supp. at 90. 168 Id. at 90. 169 See Milwaukee Area Tech. College v. Frontier Adjusters, 2008 WI

App 76, P15, 312 Wis. 2d 360, 374 (Wis. Ct. App. 2008). 170 910 F. Supp. 2d 446, 460 (E.D.N.Y. 2012).


Pursuant to Suffolk and Flota, the insured has the burden of proving that the claimed document contains the signature of another human.

The theory that typing a name in an email qualifies as a forgery ignores the definition’s reference to “signature.” The use of that term differentiates between the typing of a name and the distinctive signing of a name, because the term “signature” means “a person’s name written in that person’s handwriting”171 or “a person’s name written in a distinctive way as a form of identification in authorizing a check or document or concluding a letter.”172 A typed name on an e-mail does not satisfy these ordinary definitions, as it is not a distinctive or stylized presentation of the person’s name.

For instance, the court in Parma Tile Mosaic & Marble Co., Inc., v. Fred Short, et al. held that the electronic addition of a name did not constitute a signature.173 In that case, the plaintiff argued that a document sent via facsimile bore a “signature” because the defendant programmed a fax machine to imprint its name on every page. Even though the defendant programmed the machine to imprint its name, the Court of Appeals rejected the notion that the typed name constituted a “signature.”174

In Elmer Fox & Co. v. Commercial Union Insurance Co., the court reached the same conclusion while interpreting forgery coverage.175 In that case, the bank argued that a check was forged because it was endorsed with a stamp bearing the name of a company. The court rejected that notion, holding that even though the stamp contained the name of the company, it was not a signature: “[The] rubber stamp endorsement consists of the words “For deposit only” with the name and address of the company. This is not a signature.”176

171 “Signature,” Merriam-Webster Online Dictionary, www.merriam-

webster.com. 172 “Signature,” Oxford Dictionaries, www.oxforddictionaries.com; see

also “Signature,” http://en.wikipedia.orn/wiki/Signature. 173 663 N.E.2d 633 (New York 1996). 174 Id. at 634-35. 175 274 F. Supp. 235, 240 (D. Colo. 1967). 176 Id.


Social engineering schemes, in particular the vendor or superior impersonation schemes, rely upon the imprimatur of legitimacy which may include insertion of the legitimate signature block of the spoofed sender.177 Consistent with Flota, Parma Tile, and Elmer Fox, the typewritten name at the conclusion of an e-mail is not a replication of that person’s handwritten signature and does not have any of the attributes of a signature of the alleged signatory. Thus, it is unlikely that a court would find that a spoofed email contained a defined forgery, if it were confronted with the question in the context of a social engineering scheme.

2. An Email Is Not a Qualifying Document

A victim of a social engineering scheme needs to prove more than the existence of a defined forgery, it must also prove that the email is a qualifying document. In particular, the standard forgery provision limits coverages to a specific set of documents:

checks, drafts, promissory notes, or similar written promises, orders or directions to pay a sum certain in “money” that are (3) Made or drawn upon or drawn upon you; or (4) Made or drawn by one acting as your agent178

This language encompasses documents that “have traditionally

been those with legal effect, documents that can be ‘deposited.’”179 An email does not satisfy this test because, unlike a check, it: (1) lacks a

177 Some forgery coverage provisions state that they cover

“mechanically” reproduced signatures, but this phrase does not encompass the typing of a name in an email. In Bancinsure, Inc. v. Marshall Bank, N.A., 400 F. Supp. 2d 1140, 1144 (D. Minn. 2005), the court held that the definition of forgery required “‘a signature that has been prepared and reproduced by mechanical or photographic means,’ in other words, a signature that was generated by some mechanical process, rather than by a handwriting.” The phrase “mechanically reproduced” is “meant to distinguish that type of signature from one that is ‘handwritten.’” Id.

178 ISO CR 00 23 08 13 (2012). 179 The Vons Co., Inc. v. Federal Ins. Co., 57 F. Supp. 2d 933 (C.D.

Cal. 1998), aff’d, 212 F.3d 489 (9th Cir. 2000).


drawer, drawee, and payee; (2) is not depositable into a bank account by the recipient; and (3) does not contain a promise to pay money.180

The court in CustomMade Ventures v. Sentinel Insurance Co. rejected an insured’s analogous attempt to trigger forgery coverage.181 In that case, the court held that an altered e-mail did not trigger coverage because an email is not a qualifying document.182 The court explained that “Engelman could not take the e-mail to a bank and demand payment, just as he could not use an IOU from CustomMade written on a scrap of paper to pay his credit card bill. Thus, it is not of the same kind or class as a ‘check, draft, or promissory note.’”183

An insured cannot trigger coverage by simply alleging forgery based on the social engineer strategy of typing of a name into an email. The insuring agreement requires a forgery of a specific type of document and thus social engineering claims will not, by their very nature, trigger such coverage.

D. Common Exclusions Implicated by Social Engineering Claims

Claims under the above policy provisions for social engineering losses may implicate two standard exclusions included in a commercial crime policy: the authorized representative exclusion and the exchanges or purchase exclusions. Depending upon the nature of the claim, these exclusions help limit coverage to hacking incidents and obviate coverage for losses arising from a knowing transaction executed by an authorized representative.

180 Parkans Int’l, LLC v. Zurich Ins. Co., 299 F.3d 514 (5th Cir. 2002);

Metro Brokers v. Transp. Ins. Co., 2013 U.S. Dist. LEXIS 184638, at *14 (N.D. Ga. Nov. 21, 2013).

181 No. 11-10365, 2012 U.S. Dist. LEXIS 131964, *5 (D. Mass. Sept. 17, 2012).

182 Id. at *5. 183 Id. (electronic transfers did not trigger coverage because they were

not checks, drafts, promissory notes, bills of exchange, or similar written promises, orders, or directions to pay a sum certain).


1. Loss Caused by an Employee or Authorized Representative

Even if an insured can establish coverage for a social engineering loss, the claimed loss may be excluded from coverage if the loss was caused by an employee. Commercial crime policies do not cover “loss caused by an Employee or authorized representative of the Insured acting alone or in collusions with others.”184 This exclusion may be implicated either where the transfer leading to the claimed loss was processed by an employee or where the fraud was perpetrated by the insured’s representative.

First, many schemes are perpetrated using spoofed emails from the insured’s officers, business partners, or vendors. Black’s Law Dictionary defines “authorized” as “possessed of control or power delegated by a principal to his agent,” and the term “representative” as “a person or thing that . . . in some way corresponds to, stands for, replaces, or is equivalent to, another person or thing . . . including an agent, an officer of a corporation or association . . . or any other person empowered to act for another.”185 Applying these definitions, courts have held that this exclusion precludes coverage for a loss caused by an agent or representative of the insured.186

The Ninth Circuit addressed the scope of this exclusion in Stanford University Hospital v. Federal Insurance Co.187 In that case, a payroll servicer embezzled money from the insured. The insurer argued that the resulting loss was not covered because the policy excluded coverage for “loss due to Theft or any other fraudulent, dishonest or criminal act . . . by an authorized representative of the Insured whether

184 Id. 185 BLACK’S LAW DICTIONARY 133-34 (6th ed. 1990). 186 First Ins. Funding Co. v. Federal Ins. Co., 284 F.3d 799 (7th Cir.

2002); Stanford Univ. Hosp. v. Federal Ins. Co., 174 F.3d 1077 (9th Cir. 1999); G&C Construction Corp. v. St. Paul Fire & Marine Ins. Co., 731 F.2d 183 (4th Cir. 1984);Lyons Fed. Sav. & Loan v. St. Paul Fire & Marine Ins. Co., 863 F. Supp. 1441 (D. Kan. 1994); Colson Serv. Corp. v. Ins. Co. of N.A., 874 F. Supp. 65 (S.D.N.Y. 1994);

187 174 F.3d 1077 (9th Cir. 1999).


acting alone or in collusion with others.”188 The court held that the exclusion precluded coverage because the payroll servicer performed a service on behalf of the insured and had access to the insured’s funds:

This court agrees with the First Circuit’s ruling that the plain meaning of the “authorized representative” language in the crime insurance policies is not ambiguous and covers those who by authorization of the insured are given access to and permitted to handle the insured’s funds. No other interpretation would make sense in terms of the crime insurance policy. The “authorized representative” provision excludes coverage for misappropriation of funds by those individuals or entities authorized by the insured to have access to the funds—in essence, those whom the insured empowers to act on its behalf. See 136 F.3d at 74. In this instance, plaintiffs protected themselves against thefts by employees of Hamilton-Taft by requiring that Hamilton-Taft bond its employees for potential dishonesty, which Hamilton-Taft did for $50 million. The problem in this case is that Armstrong and his cohorts at Hamilton-Taft stole over $95 million.189

The First Circuit reached the same conclusion in Stop & Shop Co., Inc. v. Federal Insurance Co.190 In that case, the First Circuit held that the term “authorized representative” encompassed “either a person or company empowered to act on an entity’s behalf.”191 The insured attempted to avoid the exclusion by arguing that the fraud was perpetrated by an employee of the insured’s representative. The court rejected that argument, holding that the exclusion applied to fraud by the representative or an employee of the representative:

It is most sensible to consider “authorized representative” as one of a series of capacities in which an individual who commits theft may have been given

188 Id. at 1082. 189 Id. at 1085 (emphasis added). 190 136 F.3d 71 (1st Dist. 1998). 191 Id. at 74.


access to funds by the insured. We see the use of the term as a straightforward effort to embrace all statuses that are “authorized,” and thus are the insured’s responsibility to supervise. Because Hamilton Taft can act only through its officers, we must construe this exclusion to encompass generally acts by the officers of Hamilton Taft. As officers of the corporate representative, Armstrong and others were given access and power to divert funds.192

An insured may focus on the fact that the representative did not have access to its funds or acted unintentionally, but the definition of authorized representative is not limited to those who have access to an insured’s funds and the exclusion is not limited to intentional acts by an authorized representative.

The District Court for the Northern District of California addressed an analogous issue in Kubota Credit Corp., U.S.A. v. Federal Insurance Co.193 and held that the exclusion broadly applied to any loss caused by an “authorized representative”—even if that representative did not have access to the insured’s funds:

But Stanford did not purport to hold that the only type of authority sufficient to make an entity an “authorized representative” is authority over an insured’s funds. Such a definition would fly in the face of the plain meaning of “authorized representative,” which only requires a grant of “authority,” not necessarily a grant of “fiscal authority.” Indeed, there are a variety of contexts in which an individual or entity can be recognized as an

192 Id. at 76; Colson Servs. Corp., 874 F. Supp. at 68 (concluding that

“it would appear that the dictionary definition of the term ‘authorized representative’ would encompass an entity like NBW, which was given the authority by [the insured] to act as [the insured’s] agent in choosing which investments to make each day with the money held in the 12-7 Account”).

193 No. CV 10-2521, 2012 U.S. Dist. LEXIS 154498 (C.D. Cal. Apr. 2, 2012).


authorized representative even where there is no grant of authority over another’s funds.194

Kubota held that a distributor qualified as an “authorized representative,” even though the distributor did not have access to the insured’s funds, because the distributor was “empowered or permitted to represent [the insured] in some capacity or act on [the insured’s] behalf” because it was empowered to represent the insured in the sale, advertising and marketing of the insured’s products. Furthermore, the distributor utilized the insured’s promotional and advertising materials, interface with [the insured’s] information technology programs, utilize the insured’s trademarks and trade names in connection with the promotion of the insured’s products.195

The decision in Milwaukee Area Technical College v. Frontier Adjusters of Milwaukee196 illustrates the impact of this exclusion on computer crime claims. In that case, the insured sought coverage under its crime policy when it sustained a loss of $1.6 million when it was defrauded by the owner of a firm the insured had retained to process its workers’ compensation claims. The wrongdoer was able to steal the money by telling the insured that he had sent checks to health-care providers when, in fact, he had merely kept them.

The insured sought coverage under that policy’s computer fraud and funds transfer fraud provisions. The insured argued that the computer fraud coverage was triggered because the wrongdoer used a computer to print the dummy ledgers he sent to the insured when seeking reimbursement197 and because he had used a computer to manage his company’s bank account into which he deposited the reimbursement checks and those he stole.

The court held an in-depth analysis of the coverage was unnecessary because the exclusion “blocked” coverage.198 Recognizing the exclusion included dishonest acts by authorized representatives, the

194 Id. at *19-20. 195 Id. at *13-14. 196 752 N.W.2d 396, 403 (Wis. Ct. App. Apr. 22, 2008). 197 Id. at 398. 198 Id.


court held there was no dispute that the thief was an authorized representative. Although the insured attempted to argue the act could not have been authorized and, as such, it could not have authorized the wrongdoer to steal from it, the court rejected this argument as it rendered the entire exclusion inutile.199

This exclusion was at issue in the State Bank of Bellingham when the insured argued that it precluded coverage even though it was undisputed that a hacking of the insured’s computer system allowed the hackers to process two unauthorized wire transfers.200 The insured argued that the exclusion for “loss caused by an Employee” precluded coverage because the employee’s failure to log off her computer, violation of certain securities protocols, and failure to remove a password token, was the cause of the insured’s loss. The district court and Eighth Circuit disagreed, holding that the hacking was the “overriding cause” of the loss, therefore, the exclusion did not apply.201

State Bank of Bellingham is instructive to the uncharted territory of whether the exclusion applies to a social engineering loss because that court was confronted with an actual hacking event. In contrast, social engineering utilizes trickery, misrepresentation and manipulation to induce action by the employee. Thus, it is the subsequent act of the employee that causes the loss, not the social engineering scheme. This result is consistent with the computer fraud provision’s requirement—as detailed in Universal, Brightpoint, Pestmaster, and Kraft Chemical—that the insured prove that it sustain a direct loss from a hacking.

199 Id. at 402. 200 No. 13-cv-0900, 2014 U.S. Dist. LEXIS 136849 (D. Minn. Sept. 29,

2014), aff’d, 2016 U.S. App. LEXIS 9235 (8th Cir. May 20, 2016). 201 The trial and appellate courts’ analysis was primarily concerning

with whether Minnesota applied the “concurrent-causation doctrine” to a financial institution bond. 2014 U.S. Dist. LEXIS 136849 at *51-59; 2016 U.S. App. LEXIS 9235, at *8-14. Both courts ultimately applied the doctrine, weighed the impact of the hacking versus the employee’s acts, and determined that the cause of the loss was the hacking.


2. Loss Due to Surrendering Money in Any Exchange or Purchase

Commercial crime policies do not cover loss “due to the giving or surrendering of Money or Securities in any exchange or purchase . . . “ In many socially engineered instances, an insured may be induced to advance money to pay an existing supplier for goods or services. The insured may argue that the advance was induced by fraud; however, the exclusion presumes a covered loss and the existence of a fraud does not preclude application of the exclusion.202

The decision in Harrah’s Entertainment v. ACE illustrates how courts have applied the exclusion. In that case, a thief induced the insured to accept a fraudulent negotiable instrument in exchange for casino chips. The court held that the insured could not recover under its commercial crime policy because the policy excluded coverage for “loss due to the giving or surrendering of Money or Securities in any exchange or purchase.”203 Although the insured was a victim of fraud, the court nonetheless held that the exclusion applied because the policy “excludes coverage for any ‘giving or surrendering of Money or Securities in any exchange or purchase’ which is what occurred here.”204

Application of the exclusion depends upon the nature of the claim. In Sears Roebuck & Co. v. National Union Fire Insurance Co. of Pittsburgh, Pa.,205 the insured negotiated the purchase of advertising time from media outlets and engaged an agent to make payments to the media outlets on its behalf. The agent thereafter misappropriated the

202 Courts have enforced similar exclusions. Harrah’s Ent., Inc. v. ACE Am. Co., No. 02-6519, 2004 U.S. App. LEXIS 10663 (6th Cir. May 27, 2004) (casino gave gambling credit in reliance on fraudulent cashier’s check); Bell Gardens Bicycle Casino v. Great Am. Ins. Co., No. 03-55845, 2005 U.S. App. LEXIS 3669 (9th Cir. Mar. 4, 2005) (casino permitted withdrawal of money based on fraudulent withdrawal receipts); Great Am. Ins. Co. v. AFS/IBEX Fin. Services, Inc., No. 3:07-CV-924-0, 2008 U.S. Dist. LEXIS 55532 (N.D. Tex. July 21, 2008) (insured was induced by fraudulent premium financing agreements to send checks to thief).

203 2004 U.S. App. LEXIS 10663, at *6. 204 Id. at *8. 205 No. B187280, 2007 Cal. App. LEXIS 8084 (Cal. App., Oct. 4,

2007).


insured’s funds. The insurer argued that the claimed loss was not covered because the policy excluded coverage for loss arising from the “surrendering of assets in any exchange or purchase.” The court refused to apply this exclusion because the insured did not believe it was purchasing anything from the agent who stole the funds. Sears itself contracted with the media outlets. Consequently, the theft did not arise out of an exchange or purchase, but instead arose from its relationship with an agent entrusted to make payments and who absconded with the money. The court ruled that the theft of funds by the insured’s agent was an independent and intervening act and, therefore, the exclusion did not apply.

In Kraft Chemical, the insured chemical distributor was the victim of a vendor social engineering scheme when a cyber criminal inserted himself into email correspondence between the insured and its wholesale vendor during the discussion of a legitimate transaction.206 The court held that the social engineering scheme was not covered under the computer fraud provision because the insured’s computer system was not hacked and the knowing and authorized transfer of funds was not a direct loss. In the court’s dicta, it noted that the policy’s voluntary parting exclusion207 precluded recovery because the “Court [was] persuaded that there [was] no issue of fact that the transfers were made ‘knowingly’ . . . .”208 While the exclusion was not at issue in Kraft Chemical, the court’s superfluous comment is consistent with the policy’s requirement that the insured must incur an uninterrupted, direct loss from a hacking to prove coverage.

In contrast, insureds may cite Owens, to argue that the exclusion is ambiguous and does not apply to a computer fraud claim.209 Owens

206 2016 Ill. Cir. LEXIS 1, at *9-11. This was a classic “man-in-the-

middle” scheme. 207 The exclusion stated that “no coverage will be available

for…voluntary exchange or purchase…loss due to an insured knowingly given or surrendered Money, Securities or Property in any exchange or purchase with a Third-Party….” 2016 Ill. Cir. LEXIS 1, at *8.

208 Id. at *27. 209 2010 Conn. Super. LEXIS 2386 at *27. This decision was vacated

by stipulation of the parties.


refused to apply the voluntary parting exclusion because it concluded that the exclusion was ambiguous:

In Harrah’s, supra, upon which Travelers relies, the policy excluded coverage for any loss: “(1) due to the giving or surrendering of Money or Securities in any exchange or purchase: (2) due to accounting or arithmetical errors or omissions; or (3) of manuscripts, books of account or records.” Id., 389. The Harrah’s court found the exclusion language ambiguous as to the phrase “giving or surrendering of Money or Securities in any exchange or purchase,” finding it to be a “loosely worded exclusion.” Id., 391. The court concluded that the ambiguity must be construed against the drafter, which in an unusual circumstance, was Harrah’s, the insured, rather than the defendant insurance company. Id. Exclusion R. in the subject Travelers policy is ambiguous and must be construed against Travelers. Summary judgment based upon Exclusion R is denied.210

While it rejected the exclusion, Owens never explained how the exclusion was subject to multiple interpretations and never explained how the insured could, applying its interpretation of the exclusion, prevail. It appears that the court did not address the issue because the case arose in the context of an attorney-client relationship and did not involve the sale of goods.

Many cases, however, arise in the context of the sale of goods and in that context, the courts have found the exclusion unambiguous and applied it as written. In the context of a social engineering scheme, courts may expand on Kraft Chemical’s dicta, and hold that transfers knowingly made by the insured (even when manipulated by a social engineer) are excluded from coverage.

210 Id.


V. DISTINGUISHING FIRST-PARTY LOSSES FROM THIRD-

PARTY LOSSES

Social engineering schemes are usually constructed in a manner to manipulate the organization into wiring its funds to an imposter’s bank account, e.g., the typical vendor or impersonation scheme. However, the schemes may also ensnare an insured’s clients’ funds or customers’ confidential information. A social engineer may induce an employee into transferring funds from a client’s account or disclosing a customer’s confidential information.211 Using the customer’s information, the social engineer can then make fraudulent charges on the customer’s credit card or steal funds directly from the customer’s bank account.

From a coverage perspective, it is important to distinguish between first-party loss of money owned or held by an insured from a third-party loss of client information. That is why the insuring agreement limits coverage to “loss of and loss from damage to Covered Property resulting directly from the Covered Cause of Loss.” Claims arising from the loss to a third-party are not covered, even if the third-party pursues a claim against the insured and seeks to hold the insured liable for its loss.

Before 1980, commercial crime policies typically covered losses “through” employee dishonesty.212 In 1980, the fidelity industry implemented changes to “strengthen the concept of coverage for direct

211 Michael Heller, Social engineering attack leads to leaked info on

20,000 FBI agents, TechTarget.com (Feb. 9, 2016), http://search security.techtarget.com/news/4500272795/Social-engineering-attack-leads-to-leaked-info-on-20000-FBI-agents (last visited June 30, 3016). In this case, the social engineer called the DOJ, claiming to be a new employee and was having problems getting into the department’s web portal. The cyber criminal reported that when he explained his purported problem to the DOJ employee, “They asked if I had a token code; I said no, [and] they said that’s fine—just use our one.” He was then able to access the DOJ’s database and confidential information of thousands of agents and employees.

212 Comprehensive Dishonesty Disappearance and Destruction Policy (revised to March 1940), reprinted in STANDARD FORMS OF THE SURETY ASSOCIATION OF AMERICA (Surety Ass’n of America).


loss only.”213 It did so by substituting a “resulting directly” standard for the “through” standard.214 The adoption of the resulting directly standard resolved any split of authority215 over the compensability of claims based upon an insured’s vicarious liability to a third-party.216 Various federal circuit courts,217 federal district courts218 and state appellate courts219 have addressed this issue and held that fidelity bonds do not cover an insured’s liability to a third party—even if that liability is due to employee dishonesty—because the payment of a liability is an indirect loss.

213 Robin Weldy, A Survey of Recent Changes in Financial Institution

Bonds, 12 FORUM 895 (1977). 214 Commercial Crime Policy, General Exclusions, § A(3) (“We will

not pay for . . . [l]oss that is an indirect result of any act or ‘occurrence’ covered by this insurance . . . .”).

215 Tri City Nat’l Bank, 268 Wis. 2d at 802-03 (quoting Karen Wildau, Evolving Law of Third-Party Claims Under Fidelity Bonds: When Is Third Party Recovery Allowed?, 25 TORT & INS. L.J. 92, 92-93 (1989)) (“The 1980 revision further restricted the bond by insuring a bank only for ‘[l]oss resulting directly from dishonest or fraudulent acts’ of its employees. . . . As noted above, ‘[t]he expressed intent of the underwriters was to refine the exact meaning of employee dishonesty under the bonds as a means of addressing judicial decisions expanding coverage beyond that originally contemplated, while ensuring that employers . . . could purchase . . . protection against dishonest employees”).

216 Travelers Ins. Co. v. P.C. Quote, Inc., 570 N.E.2d 614, 621 (Ill. App. Ct. 1991); City of Burlington, 599 N.W.2d at 472; Central Nat’l Ins. Co. of Omaha v. Ins. Co. of N.A., 522 N.W.2d 39, 43-44 (Iowa 1994); Aetna Cas. & Sur. Co. v. Kidder, Peabody & Co., 676 N.Y.S.2d 559, 566 (N.Y. App. Div. 1998); Lynch Props., 140 F.3d at 629;; Drexel Burnham Lambert Group, Inc. v. Vigilant Ins. Co., 595 N.Y.S.2d 999, 1007 (N.Y. App. Div. 1993).

217 Universal Mortg. Corp. v. Württembergische Versicherung AG, 651 F.3d 759, 761-762 (7th Cir. 2011); Lynch Props., 140 F.3d at 629; Vons Cos., 212 F.3d at 492-93; California Korea Bank v. Va. Sur. Co., No. 98-56778 (C.D. Cal. Apr. 11, 2000).

218 Finkel v. St. Paul, No. 3:00CV1194, 2002 U.S. Dist. LEXIS 11581 (D. Conn. June 6, 2002); Direct Mortgage, 625 F. Supp. 2d at 1177-78.

219 ITT Hartford Life Ins. Co. v. Pawson, No. CV 940361910S, 1997 Conn. Super. LEXIS 1646 (Conn. Super. Ct. June 16, 1997); RBC Mortgage, 812 N.E.2d at 735; Travelers Ins. Cos., 570 N.E.2d at 621; Tri City Nat’l Bank, 268 Wis. 2d at 797-800.


The lack of coverage for the third party losses applies to the computer fraud insuring agreement requirement of proof of “loss of and loss from damage to Covered Property resulting directly from the Covered Cause of Loss.”220 While the direct loss case law (cited above) focuses on the direct loss under employee dishonesty provisions, the computer fraud provision contemplates the same burden of proof.221 Because an insured’s liability for a loss to a third-party does not result directly from a covered peril; it results from an operation of law and therefore is outside the scope of coverage afforded by a commercial crime policy.222

Pinnacle Processing Group applied these principles to a computer fraud claim. In that case, the insured suffered a series of chargeback losses and attempted to recoup its loss under a computer crime policy. The insured tried to argue that its debt constituted a covered loss, but the court rejected that argument—holding that the insured’s liability was an indirect loss outside the scope of coverage:

PPG argues that it suffered a loss—in that it incurred a debt—as soon as the fraudulent requests for refunds were issued. The computer fraud provision covers physical losses of both “money” and “securities.” Dkt. No. 23-4, p. 33. The definition of “securities” includes “[e]vidence of debt issued in connection with credit or charge cards, which are not of your own issue.” Thus, argues PPG, “the losses suffered by [PPG] resulted from fraudulent acts which followed and were directly related to the use of a computer because a request for a fraudulent electronic refund credit is clearly evidence of debt.” Dkt. # 37. The Court is not persuaded by this argument. The computer fraud provision by its express terms covers the physical loss of securities, or, “evidence

220 ISO CR 00 07 (10 90) (Form F); see, supra, Section III.A.2. 221 2015 U.S. Dist. LEXIS 79358 at *8, fn. 1, (citing Armburst

International ltd. v. Travelers, No. CA 04-212 ML, 2006 U.S. Dist. LEXIS 25640 (D.R.I. May 1, 2006)) (“the policies cover injury to the insured, not a third party, a fact which significantly differentiates them from liability policies, which, as a rule, indemnify an insured against losses to a third party.”).

222 Pinnacle Processing, 2011 U.S. Dist. LEXIS 128203 at *12-13.


of debt.” To construe the provision as simultaneously covering any gain of a debt to another—which is essentially what PPG argues—would be to read the terms of the policy as providing coverage for exactly the opposite of that which it purports to cover.223

The court held that the loss resulted from the insured’s contractual liability to third parties and therefore, constituted an indirect loss:

Rather, PPG’s loss resulted directly from its contractual obligation to cover any chargeback losses incurred by Merrick Bank, not from computer fraud. PPG’s loss was only indirectly caused by the purported computer fraud. There is no coverage for PPG under the computer fraud provision of its insurance contract with Merrick.224

Taylor & Lieberman v. Federal Insurance Co. reached the same conclusion with regards to a social engineering scheme.225 In that case, the insured accounting firm received emails purportedly from its client, which instructed the firm to wire the client’s funds in her bank account to an account in Malaysia.226 After making two transfers, the insured’s employee called the client after noticing the spoofed email address and was informed that the client never requested the wire transfers.227 The insured then made a claim for coverage under its commercial crime policy’s computer fraud, funds transfer fraud, and forgery provisions.228 The insurer denied all coverage under all three provisions.

In its subsequent lawsuit, the insured argued that it was acting as the bailee or trustee of the funds, and thus, it sustained a direct loss:

223 Id. at *16 224 Id. at *16-17. 225 No. CV 14-3608 RSWL, 2015 U.S. Dist. LEXIS 79358 (C.D. Cal.

2015). 226 Id. at *3. 227 Id. at *3-4. 228 Id. at *6-7.


Plaintiff contends that its power of attorney over Client’s funds was tantamount to a bailee or trustee power over the funds, and cites Vons, 57 F. Supp. 2d at 941, for the proposition that such a power means that a direct loss occurs when the funds are the subject of fraud. Defendant refutes this argument, contending that Plaintiff was not a bailee or trustee of the funds because they were held not with Plaintiff but in a separate City National bank account, and because the Power of Attorney was not granted to Plaintiff but instead to an individual representative of Plaintiff. (citing Alberts v. Am. Cas. Co., 88 Cal. App. 2d 891, 898-899, 200 P.2d 37 (1948) and Aetna Cas. Sur. Co. v. Kidder, Peabody & Co., 246 A.D.2d 202, 676 N.Y.S.2d 559 (N.Y. App. Div. 1998)). The Court finds Defendant’s reasoning more persuasive.229

The district court agreed with the insurer’s position and held that funds taken from a client did not trigger computer crime coverage because the insured did not suffer a direct loss and its liability to the customer did not constitute a direct loss covered under a crime policy.230 The court noted that:

The Court concludes that the policies at issue in the instant case should be analyzed similarly to indemnity policies that do not provide third-party coverage instead of liability policies that do provide third party coverage, and that as such, Plaintiff has not suffered a “direct loss.”

. . . .

If the funds had been held in an account owned or attributed to Plaintiff, such as an escrow account (see Fidelity Nat’l. v. Nat’l Union, 2014 U.S. Dist. LEXIS 140030, 2014 WL 4909103, at *10 (S.D. Cal. Sept. 30, 2014)) and a hacker had entered into Plaintiff’s

229 Id. at *9 [internal factual citations omitted]. 230 Taylor & Lieberman, 2015 U.S. Dist. LEXIS 79358, at *10.


computer system and been able to withdraw funds such that Plaintiff’s accounts were immediately depleted, then Plaintiff would be correct in asserting coverage from the Policy. Here, however, a series of far more remote circumstances occurred: Client gave Plaintiff power of attorney over Client’s money held in Client’s own account; a perpetrator of fraud motivated Plaintiff’s agent to use the power of attorney to transfer funds out of Client’s account; Plaintiff discovered this fraud and attempted to recover the funds; Client requested repayment of the lost funds and Plaintiff obliged; Plaintiff now requests Defendant indemnify it for the losses that were transferred from Client to Plaintiff . . . .231

Taylor recognized that a social engineering scheme that results in third-party losses or third-party liability to the insured is not covered under the computer fraud provision because that provision only indemnifies the insured for direct losses, not the losses of third parties.

The computer fraud insuring agreement is a first-party coverage designed to cover a direct loss to an insured. An insured’s liability, even if due to a computer breach, is not covered because the loss is incidental and thus, qualifies as an indirect loss outside the scope of coverage. Therefore, insured’s often seek coverage for loss of client funds under other forms of policy, which encompass liability coverage (i.e., professional liability policies or stand alone cyber policies).

For instance, a law firm is obligated to ensure that its client’s funds and confidential information are protected, but law firms are not immune from cyber criminals.232 The threat is real and in April 2016, a

231 Id. at *9-11, (citing Pestmaster, 2014 U.S. Dist. LEXIS 108416, at

*8-10) (no direct loss where a third party obtained insured’s approval to initiate electronic funds transfers from insured’s account and then misused the transferred funds); see, supra section IV.A.1., discussion of Pestmaster and insured’s burden of proving a direct loss.

232 Drew Simshaw, et al., Ethics and Cybersecurity: Obligations to Protect Client Data, ABA, National Symposium on Technology in Labor and Employment Law (March 15, 2015).


prominent international law firm sustained a loss of thousands of client’s confidential information concerning tax havens and other questionable transactions.233 When a law firm clerk or attorney responds to a social engineering scheme by transferring client funds or releasing client confidential information, it may result in liability for the law firm and trigger coverage under the firm’s professional liability policy.

In that regard, a social engineering scheme may trigger coverage under cyber liability coverage. For instance, a credit card service provider (the entity that processes the credit card payment between the point-of-sale to the credit card company) operates under specific security requirements that protect customers’ credit card numbers.234 These companies are routinely attacked by cyber criminals, and successful attacks may result in large losses.235 If an employee is socially engineered into releasing user names, passwords, or confidential credit card information, then the subsequent loss may trigger coverage under the cyber liability policy in that many such policies are designed to cover liability (subject to the terms of the policy).

Recent case law indicates that socially engineered losses may trigger an organization’s commercial general liability (CGL) policy if it does not contain a cyber exclusion. In Travelers Indemnity v. Portal Healthcare Solutions, the insured―a data security firm―sued for coverage under its CGL policy for a lawsuit filed by hospital patients whose confidential information was stolen due to the insured’s alleged

233 Doug Stranglin, Panama Firm says it is a hacking ‘victim’, USA

Today (April 6, 2016), http://www.usatoday.com/story/news/2016/04/06/ panama-papers-law-firm-says-hacking-victim/82695208/ (last visited June 30, 3016); Nicole Hong and Rogin Sidel, Hackers Breach Law Firms, Including Cravath and Weil Gotshal, The Wall Street Journal (March 29, 2016), http://www.wsj.com/articles/hackers-breach-cravath-swaine-other-big-law-firms-1459293504 (last visited June 30, 2016).

234 The Payment Card Industry’s Data Security Standards identified the detailed steps a credit card processor must follow. See, https://www.pcisecurity standards.org/pci_security/ (last visited June 30, 2016).

235 Dave Lewis, Heartland Payment Systems Suffers Data Breach, Forbes.com (May 31, 2015), http://www.forbes.com/sites/davelewis/2015/05/ 31/heartland-payment-systems-suffers-data-breach/#4094005f2985 (last visited June 30, 2016).


negligence.236 The insured negligently secured the patients’ information by not putting a password protection on it. The Fourth Circuit held that the insurer had a duty to defend the insured under the CGL policy’s personal and advertising injury provisions. This case did not involve a social engineering scheme, but it indicates that an insured could make a claim under its CGL policy (assuming there are no cyber exclusions) for a defense in a third-party lawsuit that alleges the insured’s employees negligently responded to a social engineering scheme.

The scope of professional, cyber and CGL policy coverage and the nuisances of their terms and conditions implicate complicated issues beyond the scope of this article. It is important to note, though, that even if the socially engineered loss of client or customer funds or information is not covered under a commercial crime policy’s computer fraud insuring agreement, the loss could potentially implicate other coverages.

VI. CONCLUSION

Given cyber criminals’ increasing reliance on social engineering schemes instead of direct attacks, an insured faced with a substantial loss may attempt to use the computer fraud, funds transfer fraud, or forgery insuring agreements to obtain coverage. As recent cases demonstrate, these insuring agreements are designed to cover specific risks subject to specific conditions of coverage. It is, therefore, important to fully analyze the nature of the social engineering scheme to determine whether the insured suffered a covered loss.

236 No. 14-1944, 2016 U.S. App. LEXIS 6554 (4th Cir. 2016).

Documents

The Fidelity Law Journal · The Fidelity Law Journal published by . The Fidelity Law Association . Volume XXII, November 2016 . Editor-in-Chief Michael Keeley . Associate Editors