Fraudulent Email Scheme Not Covered Under Businessowners Policy

 

August 14, 2017

 

At the beginning of August, the U.S. District Court for the Eastern District of Michigan decided that a manufacturer could not recover $800,000 in funds lost after an employee mistakenly wired payment for legitimate vendor invoices into a fraudster's bank account, after receiving a spoofed email requesting the large payment. The case is Am. Tooling, Inc. v. Travelers Cas. & Sur. Co. of Am., No. 16012198, 201 U.S. Dist. LEXIS 120473 (E.D. Mich. Aug. 1, 2017).

 

Travelers Casualty And Surety Company of America (Travelers) provided businessowners coverage for the policyholder, American Tooling Center (ATC). ATC is a tool and die manufacturer that outsources some of its work to overseas vendors. In 2015, the treasurer of ATC received a fake email disguised to look like it came from one of its vendors. The domain in the modified email had been changed slightly and directed payment for several legitimate outstanding invoices to a new foreign bank account. Without verifying the bank account information, ATC subsequently authorized payments to a bank account it believed to belong to the true vendor. After the $800,000 payment was wired to the account, ATC learned that the payment was received by fraudsters, and not the vendor they had been intending to pay.

 

ATC sought coverage from Travelers under a “computer fraud” provision, which stated that the insurer “will pay the Insured for the Insured's direct loss of, or direct loss from damage to, Money . . . directly caused by Computer Fraud.” Travelers denied coverage, stating that ATC's loss was not a “direct loss” “directly caused by the use of a computer.” ATC subsequently filed suit against Travelers, but the District Court ruling agreed with the denial, stating that “the fraudulent emails did not 'directly' or immediately cause the transfer of funds from ATC's bank account. Rather, intervening events between ATC's receipt of the fraudulent emails and the transfer of funds . . . preclude a finding of 'direct' loss 'directly caused' by the use of any computer.” The ruling found that “although fraudulent emails were used to impersonate a vendor and dupe ATC into making a transfer of funds, such emails do not constitute the “use of any computer to fraudulently cause a transfer.” To support their ruling, the court cited other jurisdictions' cases about fraudulent emails, stating “There was no infiltration or 'hacking' of ATC's computer system” and the emails “did not directly cause the transfer of funds; rather, ATC authorized the transfer based upon the information received in the emails.” The Court dismissed the case via summary judgment in favor of Travelers.

 

Editor's Note: The Court agreed with the denial of this claim because ATC had the opportunity to notice the discrepancy between the proper and improper accounts and failed to determine that the new account was fraudulent. Policyholders, though, should not despair. This case is a sample of the interpretation of the specific policy language, which can be significantly varied between cyber-crime policies. It was also decided specifically on Michigan law, and different state laws can be interpreted in vastly different ways. This field of law is likely to evolve swiftly as the seemingly legitimate request for fraudulent transfers becomes more prevalent.