Businesses hit by wire transfer scams are increasingly finding it difficult to get their claims paid under their insurance policies unless they have either a crime or cyber insurance policy that covers “computer fraud.”
Wire fraud occurs when an employee is duped by someone posing in an e-mail as a company executive or trusted client into wiring funds into the fraudster’s account. Courts around the country have held that this type of fraud is covered under the computer fraud portion of policies, which is a big win for policyholders.
If you want to ensure that you are covered against this increasingly common crime, you should review your insurance policies, particularly if you have crime or cyber insurance. If you don’t have one these policies, you may be out of luck if your company has funds stolen in this manner.
How wire transfer fraud works
- Criminals identify the individual in the company who can authorize a wire transfer, such as a senior manager or owner. They may also identify a person in one of the company’s trusted clients.
- Once they know who can authorize a transfer, they will work to compromise their e-mail account through malware or other means so they can hijack it and send e-mails from it. Alternatively, they may set up an e-mail account with an address that closely resembles that of the authorized individual.
- The scammers then use the e-mail account to send messages to employees and instruct them to wire funds to a designated account, and — poof — the money’s gone after the employee complies.
What the courts are saying
Courts have mostly found that computer fraud provisions under cyber and crime insurance policies cover this type of fraud, according to a recent blog by two partners at the law firm of Cohen Ziffer Frenchman & McKenna in New York. They noted that:
- In 2018 and 2019, the Second, Sixth and 11thS. District Courts all found in three separate cases that an insurer’s computer fraud coverage must pay for the losses of policyholders who have been hit by this type of crime.
The courts rejected insurers’ arguments the computer fraud portion of their policy was negated when employees took specific action to initiate the wire transfers.
- In 2022, the Ninth U.S. District Court found that a $200,000 loss suffered by a property management company was the result of computer fraud and was hence covered under two parts of their insurance policy: under the computer fraud and funds transfer fraud provisions.
- Also in 2022, the U.S. District Court in Alaska found that the city of Unalaska’s crime insurance policy’s computer crime and “impersonation fraud” provisions would both cover a $638,000 loss the city suffered in a wire-transfer fraud event.
The insurer had contended that only the impersonation fraud coverage (which had a limit of only $100,000) applied and not computer crime coverage, which had a $1 million limit. The court disagreed and ordered that the insurer pay the entire claim of $638,000, minus the $25,000 deductible.
Cohen Ziffer writes: “The Unalaska decision represents a significant win for policyholders who seek coverage for wire fraud losses beyond their policy’s “social engineering” or “impersonation” coverages and reaffirms the long-held rule that these types of losses fall squarely within the “computer fraud” coverage provided by many crime and cyber policies.”
What you can do
If you have cyber insurance, you should sit down with us so we can help you review your policy to see if and how it would cover this type of attack. A policy may specifically cover wire transfer fraud under separate social engineering or impersonation fraud coverage, which often will have lower liability limits than the computer fraud portion of the policy.
Also, premiums have been rising quickly for cyber insurance and some insurers may scale back coverage for wire transfer fraud as these crimes grow. It’s doubly important that you know what your policies will cover. For some companies a robust cyber-crime policy may be enough.