The global cyber scam industry is a multi-billion dollar racket run by crime syndicates who often operate through massive compounds known as “scam farms” in far flung locations. On our shores, many businesses fall prey to these scammers, who use techniques such as social engineering to fraudulently misdirect payments intended for business counterparties.
Two examples of social engineering are imposter fraud and “man in the middle” or payment beneficiary change fraud. In an imposter fraud, the scammer may search a company’s social media and wait for the announcement of a large transaction. The scammer would then use a spoofed email address appearing to be from the company’s CEO or other high-level executive to email someone in the finance department stating they urgently need to make a subsequent payment required as part of the transaction closing. The scammer would then provide wire transfer instructions that would result in the company employee sending the funds directly to the scammer.
An example of a man in the middle/payment beneficiary change fraud involves a malicious actor hacking into a company email account from which invoices are sent and hovering around to see when a large invoice is due to be sent to a client. The fraudster then emails the client from the usual account telling the client that the business has changed its bank for payments, and to use new wire transfer instructions it is providing, which, of course, go directly to the fraudster. Often, these emails will be permanently deleted from the “sent” folder and email rules will be set up to ensure any responses are sent to a separate folder to avoid detection.
These scams are becoming ever more sophisticated, in some instances involving the use of AI deepfake technology to impersonate company executives or business counterparties through telephone or videoconference instead of simply using email. As funds are often unrecoverable by the time the fraud is detected (with the time to stop a wire transfer sometimes less than one day), disputes between the business counterparties to or from whom the payment was to be sent, or one of the business counterparties and its computer fraud insurer, often arise over who must bear the liability for the lost funds.
Loss Allocation Amongst Business Counterparties
The business that was supposed to get paid by its client, but did not because the funds were fraudulently misdirected, will often make a demand on its client to pay the funds it did not receive. The client, in turn, often feels that it has already made a payment and should not have to make another one, especially if the computer breach from which the scam arose occurred from the other side. Where these cases have gone to court, two standards have arisen to determine the allocation of the loss: the strict liability standard and the comparative fault or “best position to avoid the loss” standard.
Under the strict liability standard, the party that was contractually liable to make the payment is on the hook to make the payment regardless of whose security breach may have given rise to entry of the fraudulent interloper and whether the party fully acted in good faith. Thus, a customer who is contractually required under terms of sale to make payment for goods provided to its supplier, but is fraudulently misdirected to make payment to a scammer due to a breach of the supplier’s email systems, is fully liable to bear the loss occasioned by the fraud.
Under the comparative fault/“best position to avoid the loss” standard, a court will undertake a fact-specific analysis of which party’s acts or omissions were most likely to have caused exposure to the scammer, and thus who would have been in a better position to avoid the scam. Factors the court will consider include use of industry-standard IT security and policies, the number of incidences of communications with the fraudulent interloper and whether the party communicating with the imposter ignored multiple obvious red flags, the use of dual channel payment beneficiary change confirmations (i.e., requiring that any wire transfer instruction changes be confirmed both in writing and by phone with a pre-existing contact), and any heightened awareness due to prior security breaches. Businesses wishing to reduce their liability to bear the loss in these types of scams should consider whether they are up to date with best IT security practices and policies and have educated their employees on methods used by scammers and red flags to heed.
Loss Allocation Between Insurers and Insureds
Following a cyber scam incident, businesses are advised to carefully consider potential insurance coverage. Two potential types of insurance that a business may have are “cyber” insurance, which typically includes both first and third-party coverage agreements addressing various types of cyber and privacy-related risk, and commercial crime insurance policies, which typically include insuring agreements dedicated to protecting against “computer crime” and “funds transfer fraud.” As in other insurance contexts, coverage issues can be fact-specific and complex. By way of one example, commercial crime insurers typically point to “direct loss” and “directly resulting” verbiage present in many commercial crime insuring agreements to argue that social engineering scams do not trigger coverage. Specifically, the insurers claim that social engineering does not present a sufficiently “direct” loss because the victim acts of his or her unwitting volition—in contrast to a purposeful “hack” into the computer system. (A typical insuring agreement may state, for example, that the insurer will pay for “loss of …. Money … resulting directly from the use of any computer to fraudulently cause a transfer ….”). While the case law presents a mixed bag for business insureds, the better reasoned cases reject insurer attempts to unreasonably narrow policy language in a way that frustrates the insured’s reasonable expectations of the coverage it purchased.
As the case law develops in this area, businesses are encouraged to identify and carefully consider insurance before an incident, including commercial crime, cyber, fidelity, and errors and omissions coverages, among others, considering the scope of coverage, the adequacy of any sub-limits, policy conditions, and exclusions, to ensure that the coverage reasonably meets the reality of risk, and does not present unreasonable hurdles to securing coverage.
Following an incident, companies are advised to carefully consider the best strategy for pursing coverage—including factoring in critical analysis on choice of law and venue—in a manner that will most effectively and efficiently maximize the potentially available coverage across the insured’s entire insurance portfolio.
