Business Email Fraud: Who's Liable?Manufacturer Sues Insurer for Failing to Cover Fraud Losses
See Also: Threat Intelligence - Hype or Hope?
AFGlobal subsequently filed a claim with its insurance company, Federal Insurance Co., a division of Chubb Group. But the insurer denied that claim, stating that business email fraud does not meet the definition of "computer fraud" covered by AFGlobal's policy.
AFGlobal has now filed a lawsuit against Federal Insurance in a Texas district court, seeking damages and attorneys fees, claiming breach of contract and "bad faith insurance practices."
Fraud and legal experts have a close eye on this case because it raises an important legal question: Who is responsible for fraud losses in a case of business email compromise?
"It will be difficult for [AFGlobal] to prevail in court," says attorney Chris Pierson, chief security officer at invoicing and payments provider Viewpost. "The basic premise of cybercrime insurance and cybersecurity insurance are that they protect against losses incurred by a third party. In all of these business email compromise or CEO fraud cases, it is an internal person willingly transferring funds out the back door."
The Legal Battle
Neither AFGlobal nor Federal Insurance responded to Information Security Media Group's request for comment about the case, which was filed in Harris County District Court on Jan. 4. But here are the details of the conflict, as provided by AFGlobal in its lawsuit:
Ameriforge Group Inc., doing business as AFGlobal Corp., was hit by a business email compromise attack on May 21, 2014, the firm claims. An accounting employee at AFGlobal fell victim to the scheme after receiving an email that appeared to come directly from the company's CEO, requesting an urgent wire transfer. Ultimately, the employee approved and scheduled a $480,000 wire transfer to an account in China.
But it wasn't until May 27 that the employee grew suspicious. That is when another urgent wire transfer, this time totaling $18 million, was requested in an email purporting to come from the CEO.
At that time, he alerted his supervisors, and the incident was reported to AFGlobal's bank, Bank of America, as fraud. A claim shortly thereafter was filed with Federal Insurance, the lawsuit states.
The attack was waged with emails that requested the employee break standard wire-transfer protocols to keep the transfer quiet, the company says in its lawsuit.
Now AFGlobal is asking for a $1 million payout, claiming that its "computer fraud coverage," which covers losses up to $3 million, should cover this fraudulent wire.
In a July 2014 letter Federal Insurance sent to AFGlobal regarding the incident, the insurer notes that business email fraud does not meet the definition of "computer fraud" that's covered by AFGlobal's policy.
"Computer fraud means the unlawful taking of money, securities or property resulting from a computer violation," the insurer notes.
The insurer also points out that because the wire transfer was requested and scheduled via email, it does not fall under the policy's coverage.
"Forgery coverage provided under computer fraud coverage requires that any alleged forgery or alteration is covered only if it is on a financial instrument," the insurer states. "Even if an electronic signature on an email qualifies as a forgery, and we do not agree that it does, there would be no coverage ... because the email is not a financial instrument."
Opinion: Lawsuit Faces Tough Fight
Some legal experts say this lawsuit - and any others attempting to gain insurance coverage for fraud losses tied to business email compromises - will likely fail.
That is because fraud losses linked to these types of schemes generally aren't covered by cyber insurance or other types of insurance policies. Business email compromise schemes involve the voluntary approval of wire transfers that were fraudulently requested, rather than hackers taking over accounts to schedule fraudulent wires - and that difference is a critical factor.
David Bradford, who published a 2012 survey that addresses cyber-insurance for the risk information management society, notes most insurance policies don't cover business email compromise losses (see Coming of Age of Cyber Insurance).
"A Betterley Report found that only eight out of 31 cyber-insurance providers offered the coverage," he says.
Because insurance policies are unlikely to cover losses that result from a business email compromise attack, it's critical that businesses understand how to mitigate their risks.
Business email compromise attacks are posing increasing risk of significant financial loss for businesses worldwide. In fact, the Federal Bureau of Investigation last year issued a warning about these incidents, which typically involve spoofed emails feigning to be from upper management instructing an employee in the accounting department to schedule urgent wires.
Whose Problem Is It?
Commenting on the lawsuit, Markus Jakobsson, founder of ZapFraud, which provides phishing detection and blocking services, says that one of the most significant insights of this case is that no one thinks that it is their problem.
"The insurance company thinks it's not their fault, because the business sent this money to somebody else," Jakobsson says. "And then [AFGlobal] sees that something bad happened to them and they have insurance, so this must be something that is covered by insurance. But what no one is talking about is how we prevent this from happening in the first place."
Socially-engineered schemes, including business email compromise attacks, can be mitigated with technology and training, Jakobsson says. By setting up email filters that detect certain words and phrases that are typically used in these types of attacks, businesses can significantly reduce their risk, he contends.
Of course, employees also have to be educated about what these attacks are and how they are typically waged, Jakobsson says.
"Email scams are growing 3 to 4 percent each year," he says, with business email compromise attacks going up 200 percent each year. "Business email compromise has seen a dramatic rise from 2011 to 2015 - and these attacks actually started in 2009. And why are these attacks on the rise? The reason is simple: There is so much money, and there are so few countermeasures."