<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1557350231232256&amp;ev=PageView&amp;noscript=1">

Fraudulent Instruction: When Scams Prey On Busy Professionals

Posted by Jeffrey Forbes on May 14, 2020 2:00:00 PM

fraudulent instruction when scams prey on busy professionals man using laptop with cat on table

Given the relative newness of cyber insurance policies, comparatively little case law exists interpreting these policies in the context of claims. Courts have sometimes struggled with how to interpret unique policy provisions in the context of variations of computer fraud. While some courts have taken highly technical approaches to the language contained in the policy, other courts have taken a more relaxed approach based on the understanding of the parties. A recent case out of the Eleventh Circuit Court of Appeals highlights these issues. Principle Solutions Group, LLC v. Ironhorse Indemnity, Inc. tackled a claim dispute between an insured business and an insurance company involving a cyber claim.

Sophistic Phishing Scams Prey On Busy Professionals

The case involved a typical phishing scam based on gaining access to a company’s internal email. Once there, hackers mimic the appearance of an email from the Chief Financial Officer or Chief Executive Officer instructing an employee to wire money to an external bank account. In the case at issue, the company’s controller received an email that appeared to be from the company’s managing director. The email informed the controller that she would be receiving an email from an attorney with wire transfer instructions and to comply with those instructions promptly. The controller received a second email from the purported attorney instructing her to wire $1.7 million to a foreign bank account.

Read More About  Social Engineering Scams

A Social Engineering Scam

The sophisticated scam included someone impersonating the attorney over the phone to allay the concerns of a fraud prevention service and to convince the company’s bank to release a hold on the transfer prematurely. The entire scam was completed in under three hours. The company reported the loss to their insurance carrier and law enforcement as soon as the fraud was discovered. The funds could not be recovered.

Click for free Download- Cyber incident response plan creation and implementation toolkit

What is Fraudulent Instruction?

The company’s cyber insurance policy included coverage for “fraudulent instruction.” The specific policy language covered “[l]oss resulting directly from a fraudulent instruction directing a financial institution to debit [company’s] transfer account and transfer, pay, or deliver money or securities from that account.” A separate section defined a fraudulent instruction as an 'electronic or written instruction which purports to have been issued by an employee of the company.'

click here for a quick, hassle-free cyber insurance quote

The insurance company, however, denied coverage for the claim. The insurance company asserted that the fraudulent instruction received by the controller, purporting to be from an employee, only told her to await instructions from a third party rather than providing the fraudulent instructions directly. To the insurance company, this distinction sufficed to render the claim uninsured.

We need your feedback! Click here to share your experience and struggles with COVID-19 shutdowns

The Court Finds In Favor Of The Insured

The Court disagreed with the insurance company’s interpretation. According to the Court, nothing in the policy prevented two separate emails from two separate people from participating in the same fraudulent instruction. The insurance company’s technical interpretation of the insurance contract did not stand up to the Court’s scrutiny.

Click here for the COVID-19 Return to work Toolkit Free Download image of woman wearing mask

Topics: For Your Business, hacker, social engineering, cyber security, Cyber Insurance, Risks For Businesses, Cyber Attack