A cyber-criminal hacks into your company’s network, takes control of the CEO’s email account, and sends instructions to the CFO to transfer monies to a given bank account. The CFO, believing he is acting on orders from the CEO, does it. Only the next day does he learn that the CEO had nothing to do with the email. By then, of course, the money is gone.
This scam, known as a business email compromise (BEC), is on the rise. The FBI reports that there have been more than 22,000 BECs since 2013, with combined losses in excess of $3 billion. There have been victims in all 50 states and over 100 countries. One recent victim, Ubiquiti Networks, Inc., lost $46.7 million!
Not surprisingly, BECs raise a host of insurance issues. The latest reminder of that comes in a case filed recently in federal court in Texas – Quality Sausage Company v. Twin City Fire Insurance Co., No. 17-cv-00111 (S.D. Tex. 2017). There, QSC’s Chief Administrative Officer received an email that appeared to come from a client, instructing her to send $1 million to a bank account out-of-state. She did it. Two days later, when the fraudster attempted to trick her again with a similar email, she called the client and learned that the client had not instructed either transfer. Ouch. QSC sought coverage from its carrier, Twin City Fire, which denied the claims. Not accepting that answer, QSC filed suit.
While it is too early to know how the QSC/Twin City Fire dispute will play out, similar cases have been springing up all around the country over the last several years with mixed results. Many commercial policies will not cover BECs because the insured (though duped) wired the funds voluntarily. Cyber policies may cover BEC’s, but as is always the case, it depends on the policy. In a 2015 survey by the Betterley Report, only 8 of 31 leading cyber insurance providers covered fraudulent wire transfers.
This is a rapidly evolving area to which insurers and policyholders alike should be paying attention. And, if you take nothing else from this blog post, remember this – if you receive an email instructing you to transfer money, talk to the sender in person or by phone before releasing the funds. Always better safe than sorry.