Court Holds Social Engineering Fraud Does Not Trigger Computer Fraud Coverage

August 23, 2022

The United States District Court for the District of Minnesota, applying Minnesota law, has held that an insured’s loss resulting from the insured’s payment of fraudulent invoices received from a bad actor who hacked into the insured’s email system constituted social engineering fraud and did not trigger the policy’s computer fraud insuring agreement. See SJ Computers, LLC v. Travelers Cas. & Surety Co. of Am., 2022 WL 3348330 (D. Minn. Aug. 12, 2022).

The insured, a computer company, was defrauded when a bad actor compromised the email account of the insured’s purchasing manager and sent fraudulent vendor invoices to the insured’s CEO for payment. After a failed attempt to contact the vendor to confirm the new payment instructions provided with the fraudulent invoices, the CEO made the wire transfers, which went to the bad actor.

The insured sought coverage for the loss under a crime insurance policy, which contained a social engineering fraud insuring agreement and a computer fraud insuring agreement. The insured originally sought coverage under the social engineering fraud agreement, but later sought coverage under the computer fraud agreement, which contained a significantly higher limit of liability. The insurer denied coverage under the computer fraud agreement. Coverage litigation ensued.

The court held on a motion to dismiss that the insured’s loss fell “squarely” within the social engineering fraud agreement, noting that the insured’s arguments to establish coverage under the computer fraud agreement ranged from “creative to desperate[.]” First, the court held that the insured’s loss did not fall within the definition of “computer fraud,” which defined computer fraud as “an intentional, unauthorized, and fraudulent entry or change of data or computer instructions directly into a [c]omputer [s]ystem” but excluded any “entry or change . . . made in reliance upon any fraudulent . . . instruction[.]” The court held that the CEO’s conduct fell precisely in the carve-out to the definition. Second, the court held that, even if the bad actor’s hacking could be distinguished from the CEO’s acts, which the court “seriously doubt[ed],” the hacking did not “directly cause” a “direct loss.” That is because the insured “did not suffer a penny of financial loss when the bad actor hit ‘send’ on his email messages” and “would never have suffered a penny of financial loss if the CEO had not opened those email messages.” Thus, the court held that no coverage existed under the computer fraud insuring agreement. The court also noted that while other Minnesota case law interpreted “direct,” those cases were distinguishable as they were not decided in the context of computer fraud or social engineering fraud.

Wiley Executive Summary

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek