Phishing Fraudulent Wire Transfer Not Covered by Insurance

Cyber risks are a daily threat to all business operations. Ever increasing cyber threats are the norm. Police authorities have warned about the most common cyber risk that involves fake emails. The scam is carried out by sending a fake email (phishing) targeting businesses that perform wire transfer payments. For example, an email that appears to be from a legitimate supplier’s executive is sent to an employee of the buyer’s company asking that payments of their invoices now be directed to a different bank account.  Such a transfer was found not to be covered by insurance in the case of The Brick Warehouse LP v. Chubb Insurance Company of Canada, 2017 ABQB 413 (The Brick v Chubb).

In August of 2010 an individual called The Brick Warehouse LP’s (the “Brick”) accounts payable department and spoke with an employee. The caller indicated he was from Toshiba and that he was missing some payment details. He indicated that he was new to Toshiba and the Brick employee, being helpful, faxed some payment documentation to a number provided by the caller.

On August 20, 2010, a different individual in the Brick accounts payables department received an email from an individual with the name “R. Silbers” and an email address of silbers_toshiba@eml.cc. The individual claimed to be the controller of Toshiba Canada and indicated that Toshiba had changed banks from the Bank of Montréal to the Royal Bank of Canada. It indicated all payments should be made to the new account and provided the necessary information to transfer money into the account.

On August 24, 2010 a person phoned the Brick’s accounts payable department. That individual spoke to the same employee who received the August 20 email. The individual wanted to confirm the transfer of banking information.

After the phone call, the employee changed Toshiba Canada’s bank information on the Brick’s payment system to reflect the Royal Bank account information. The employee followed the Brick’s standard practice on changing account information and the paperwork was reviewed by another Brick employee. Nobody from the Brick ever took any independent steps to verify the change in bank accounts. Nobody contacted the Royal Bank, and nobody contacted Toshiba.

As a result of the change in banking information, payments that should have gone to Toshiba Canada were now going to the mysterious Royal Bank account. A total of ten Toshiba invoices were paid. The total amount transferred to the Royal Bank account was $338,322.22.

The scam was discovered when Toshiba Canada called The Brick asking why their invoices had not been paid.

The police discovered that the Royal Bank account belonged to an individual in Winnipeg who was also the victim of fraud. He had been convinced by an individual purporting to be in Dubai to receive the money as part of the business investment and then transfer some of the money to the individual in Dubai. As a result of the investigation, the Brick was able to recover $113,847.18 of the fraudulently transferred funds.

The Brick made a claim to Chubb Insurance for $224,475.14. This represented the total amount transferred less the amount recovered. Chubb Insurance denied coverage. The Brick contended that its loss should be covered as it fell under the umbrella of funds transfer fraud. The policy defined funds transfer fraud as follows:

Funds transfer fraud means the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by an insured at such institution without an insured’s knowledge or consent.

The court referred to some U.S. decisions on the issues raised, noting at paragraph 21 and 22:

The defendant [Chubb Insurance] in this action seeks to have the court follow the decision of an American case from the United States District Court for the Central District of California, Taylor and Lieberman v Federal Insurance Company, 2:14-cv-03608, unreported. I note that Federal Insurance Company is related to Chubb Insurance. In the case, the Ninth Circuit Court of Appeals examined a case with very similar facts. Emails were sent to a company employee who then acted upon them, transferring money out of the insured’s account. The emails were fraudulent. The court held that the insurer was not liable because the Taylor and Lieberman employee requested and knew about the transfers. Although the employee did not know that the email instructions were fraudulent, the employee did know about the transfers.

There are other similar pending cases in the United States. It is notable all of the decisions absolving the insurance company of liability seem to involve Chubb Insurance or one of its affiliated companies.

The Brick contended that the policy provision stated that Chubb Insurance would pay for direct loss resulting from funds transfer fraud by a third-party, and that the focus should be on the fraud itself and not on the fraudulent instructions. The judge noted that, while it is true that the clause in question did state that, the clause must be examined in conjunction with the definition of fund transfer fraud contained in the contract. That definition included the words “insured’s knowledge or consent”. There was no definition in the contract of either the term “knowledge” or “consent”.  There was no mention anywhere in the insurance policy of the term “informed consent”. The judge noted that if the policy contained these words, again it was unlikely that the parties would be before the court.  The judge reiterated that, where a word or a term is undefined, the word should be given its “plain, ordinary and popular” meaning, “such as the average policy holder of ordinary intelligence, as well as the insurer, would attach to it.”

The Court held at paragraph 25:

Even if the Brick did not consent to the funds transfer, there is still the issue of whether the transfer was done by a third party. Certainly, the emails with the fraudulent instructions were from a third party. The actual transfer instructions; however, were issued by a Brick employee. There was no one forcing the employee to issue the instructions, there were no threats of violence or other harm. The employee was simply a pawn in the fraudster’s scheme. Therefore, the transfer was not done by a third party.

One of the decisions from the U.S. examined by the Court was Medidata Solutions, Inc. v. Federal Insurance Company, No. 1:15-cv-00907 (S.D.N.Y. Mar. 10, 2016) that was pending before the in New York. Employees at Medidata Solutions Inc. (“Medidata”) were deceived into transferring $4.8 million to a foreign bank account based on emails appearing to come from a Medidata executive. Federal Insurance Company insured Medidata under a crime policy providing coverage for computer fraud, forgery, and funds transfer fraud. The policy provided coverage against loss from “the unlawful taking of fraudulently induced transfer of money” resulting from “fraudulent electronic … instructions” directing a financial institution to pay funds without the knowledge or consent of the organization purportedly issuing instructions.

Federal Insurance Company denied coverage stating that its policy covered involuntary transfers affected by hackers, forgers and imposters, not voluntary transfers effected by authorized signatories.

Interestingly, less than a month after Brick v Chubb was rendered, the Medidata decision was handed down by the Southern District of New York (see Medidata Solutions Inc. v Federal Ins. Co, Case No 15-CV-907 (SDNY July 21, 2017). The Court in Medidata held that while the employee did knowingly carry out the transfer in this case, the Court found that the ‘funds transfer fraud’ insurance still applied. In the Court’s opinion, stealing through a trick is still stealing, and the fraudster being a step removed from the actual transfer was not sufficient to deny coverage.

Cyber coverage litigation is relatively new and it remains to be seen whether the reasoning in Brick v Chubb or the Meditata decision will eventually prevail.

In the meantime, companies should implement some practical steps to avoid falling victim to these scams:

a) Always verify any requested changes. Contact your vendors/customers using your old contact information.

b) Emails directing payment should get special attention and scrutiny. Examine email addresses closely. Beware of emails with extensions that are similar to the company email but not exactly the same. For example, “.co” instead of “.com”.

c) Be wary of requests for secrecy or urgent action.

d) Establish protocols for wire transfers and data privacy. Train your employees on those protocols.