Litigation » 0K Phishing Attack Not Covered By Computer Fraud Policy

$600K Phishing Attack Not Covered By Computer Fraud Policy

Image of human figure on a compouter screen, as he is pulling a rope attached to an envelope that is imaged on an adjacent computer screen.

September 6, 2022

The operative term for what happened to a company called SJ Computers is a BEC  (“business email compromise”) attack, sometimes just called a spear phishing attack. When it happened to SJ Computers, at a cost of nearly $600,000, the company sought coverage under what was described in the ensuing coverage litigation as a crime insurance policy.

A BEC attack, as defined by security company Redscan (part of the Kroll organization), is a “highly targeted phishing attack designed to compromise a specific individual, usually a system administrator or high authority individual such as a C-level executive.” In this case, an attacker used a real email account to get fake invoices routed to the company’s CEO, who called the vendor for confirmation. He got no response before what he had been told was a deadline, so he went ahead and initiated two wire transfers for a total of $593,555. By the time the ruse was discovered, the payments had cleared.

The Travelers policy at issue included two types of coverages, one for computer fraud and the other for “social engineering fraud,” and in its initial filing the company claimed the latter. But when, as the judge in a federal district court in Minnesota couched it, the company realized the policy limit on computer fraud was 10 times higher, it “made a series of arguments – ranging from creative to desperate – to try to persuade Travelers that its loss was not the result of social-engineering-fraud…but instead the result of computer fraud.”

In dismissing the case, the judge noted there was little precedent that addressed the issue. Both parties cited only three cases that analyzed “the concept of direct causation in the context of computer or social-engineering fraud.”

An article about this matter in The Register, a UK-based technical news website, includes extensive quotes from the judge’s order and concludes that this case “is less of a litmus test for the future of legal disagreements around social engineering insurance payouts, and more an examination of a close reading of contracts.”


Share this post:

Find this article interesting?

Sign up for more with a complimentary subscription to Today’s General Counsel magazine.