Fraudulent Instruction Loss Caused by Social Engineering Scheme Does Not Trigger Computer Fraud Coverage Under Commercial Crime Policy
A Michigan federal district court has held that a fraudulent instruction loss caused by a social engineering scheme did not constitute a “direct loss” that was “directly caused by computer fraud” and therefore did not trigger computer fraud coverage under a commercial crime policy. American Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., 2017 WL 3263356 (E.D. Mich. Aug. 1, 2017).
The insured, a manufacturer, sent an email to a vendor requesting copies of all outstanding invoices. In response, the insured received an email purportedly from the vendor, but the email was actually from a fraudster. The fraudster’s email included new banking instructions. Without verifying the changed instructions, and after confirming that the work claimed on the invoices was due and owing, the insured initiated payments totaling $800,000. It later learned of the fraud but was unable to recover the payments. The insured sought coverage under the computer fraud coverage section of its commercial crime policy, but the insurer denied coverage.
In ensuing coverage litigation, the district court granted summary judgment in favor of the insurer. The relevant insuring clause provided coverage for “direct loss . . . directly caused by Computer Fraud.” “Computer Fraud” was in turn defined to include “[t]he use of any computer to fraudulently cause a transfer.” In ruling for the insurer, the court determined that the intervening events between the insured’s receipt of the fraudulent emails and its authorized transfer of funds meant that it did not suffer a “direct” loss “directly caused” by the use of any computer. The court also concluded that while fraudulent emails were used to impersonate a vendor and dupe the insured into transferring funds, those emails did not constitute the “use of any computer to fraudulently cause a transfer” because there was no infiltration or hacking of the insured’s computer, and because those emails did not directly cause the transfer of funds (which instead were transferred based on the insured’s authorized instructions). For those reasons, the court ruled that there was no coverage for the loss, and it granted summary judgment in favor of the insurer.