Applying Texas law, the United States Court of Appeals for the Fifth Circuit has held that a business email compromise loss involving social engineering did not “result directly from the use of any computer to fraudulently cause a transfer” and thus did not trigger Computer Fraud coverage under a commercial crime insurance policy. Apache Corp. v. Great American Ins. Co., 2016 WL 6090901 (5th Cir. Oct. 18, 2016)
In March 2013, the insured, a large oil and gas exploration and production company, received a telephone call from a person identifying herself as a representative of one of the insured’s legitimate vendors. The caller instructed the insured to change the account information for its payments to that vendor. The insured’s employee replied that the request could not be processed without a formal request on the company’s letterhead, and a week later, the insured received an email from a similar, but inauthentic, domain name – that had been created by the criminals to send a fraudulent email. The email included an attachment with instructions on the vendor’s letterhead to change its account information. The insured subsequently paid legitimate invoices from the vendor, albeit to the bank account belonging to the fraudster. While the company was able to recover some of the $7 million paid to the fraudster’s account, it failed to recover approximately $2.4 million.
The insured then sought coverage under the “Computer Fraud” provision of its crime insurance policy. In relevant part, that provision covered “loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer.” The insurer denied coverage on the grounds that the insured’s “loss did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds.” A coverage dispute ensued, and the district court granted summary judgment in favor of the insured after ruling that the fraudulent email was a “substantial factor” in the scheme. In so doing, the court rejected the argument that coverage under the policy was limited to losses caused by computer hacking.
On appeal, the Fifth Circuit reversed the decision and rendered judgment for the insurer. The court recognized a “cross-jurisdictional uniformity in declining to extend coverage when the fraudulent transfer was the result of other events and not directly by the computer use,” and it found that authority persuasive. The court determined that the “computer use” at issue here “was an email with instructions to change a vendor’s payment information.” While the court acknowledged that the use of “email was part of the scheme[,] … the email was merely incidental to the occurrence of the authorized transfer of money.” The court further noted that “[t]o interpret the computer-fraud provision as reaching any fraudulent scheme in which an email communication was part of the process would … convert the computer-fraud provision to one for general fraud.” On that basis, the court ruled that the business email compromise loss caused through social engineering did not “result directly from the use of any computer to fraudulently cause a transfer.”