Posted on 10/16/2017 at 12:00 AM by John Lande
This blog recently covered the outcome of Medidata Solutions, Inc. v. Federal Insurance, where an insured prevailed against its insurance provider for an email spoofing scam. Even though the insured, Medidata, prevailed and obtained coverage for a $4 million loss, this blog noted that the case should still be a warning because the outcome was based on one judge’s interpretation of a particular insurance policy.
A recent case from Michigan illustrates how easily a case can go the other way. In American Tooling Center, Inc. v. Travelers Casualty and Surety Company, fraudsters tricked a tool and die manufacturer into wiring $800,000 to fraudsters’ overseas bank account.
American Tooling Center (“ATC”) outsourced some its work to a vendor in China. ATC sent work to the Chinese vendor by emailing purchase orders. In return, the Chinese vendor emailed invoices back to ATC. ATC then initiated a wire transfer for the appropriate amount of each invoice.
In early 2015, ATC’s president sent an email to the Chinese vendor requesting a copy of all outstanding invoices. The president received a response with instructions to send payment for the outstanding invoices to a new bank account. ATC’s president had his staff initiate the wire. Before anyone realized what happened, ATC sent $800,000 to fraudsters. ATC attempted and failed to reverse the wire.
The fraudsters used a simple alteration of the Chinese vendor’s email address to trick ATC’s president. The Chinese vendor’s actual email address domain was “yifeng-mould.com,” while the fraudsters sent their emails from “yifeng-rnould.com.” By substituting “rn” for “m,” the fraudsters managed to make their email address appear to be from the Chinese vendor. Only close scrutiny of the email address revealed that the fraudsters’ email was not genuine.
In contrast to the email scheme fraudsters’ used in Medidata, the fraudsters’ scam in ATC’s case is low tech. Nevertheless, it proved equally effective at tricking ATC into sending a substantial payment to fraudsters.
ATC made a claim under the computer fraud coverage of its Travelers insurance policy. Travelers denied the claim and argued that ATC was not the target of “computer fraud.”
Travelers argued ATC did not suffer a “direct loss” from the use of a computer. Rather, Travelers argued ATC’s employees caused the loss when they voluntarily initiated the wire transfer to fraudsters.
The Court agreed with Travelers. The Court acknowledged that while fraudsters used emails to trick ATC employees, the emails were not “use of any computer to fraudulently cause a [wire] transfer.” Since ATC’s computers were not “hacked” or otherwise infiltrated, ATC was not the victim of computer fraud.
Comparing the outcome of this case to Medidata highlights how much these cases depend on the particular facts at issue. In Medidata, fraudsters used a much more sophisticated attack, and Medidata’s claim was covered. In ATC’s case, fraudsters used a much simpler method to spoof an email, and there was no coverage. The Medidata and ATC cases also arose in different federal jurisdictions, and also had slightly different insurance policy language.
These cases highlight the difficulty in relying on any case to guarantee that cyber-insurance will be available in the event of a cyberattack. Organizations need to carefully review their insurance policies, particularly in light of recent litigation, and make sure they are buying adequate insurance coverage.
Organizations also need to understand the limitations of insurance coverage, and implement controls to minimize the risk of loss for uncovered activities. For example, if ATC had a control process that it used to authenticate any vendor bank account change before wiring the money, it might have avoided this loss entirely.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
- John Lande