Social engineering fraud occurs when impostors manipulate employees via fraudulent emails into voluntarily parting with the company’s money. For example, a fraudster may impersonate a client or someone of authority within the company in order to compel an employee into transferring money into the fraudster’s bank account.
This type of fraud may be covered under one of the company’s insurance policies. It is, however, not always clear under which specific coverage the fraud must fall, if it does at all. The Quebec Superior Court recently rendered a decision that may provide useful guidance in that regard. In Future Electronics Inc. (Distribution) Pte Ltd. c. Chubb Insurance Company of Canada, the court indeed elaborated on the various distinctions between “computer fraud by a third person,” “funds transfer fraud” and “social engineering fraud.”1
Company tricked to voluntarily transfer money
The facts leading to the Superior Court decision are rather typical. A fraudster impersonated the CFO of a supplier of the company and emailed an employee in the company’s accounting department in order to change the supplier’s banking details. The employee asked for an official letter in that regard and the fraudster provided a forged letter with new wire transfer instructions to be used for upcoming payments. The fraud led to numerous money transfers that totalled nearly $2.7 million US before the scam was finally discovered.
The company filed a claim with one of its insurance companies under an executive protection policy. The insurer took the position the claim was not covered under the “computer fraud by a third person” coverage, nor under the “funds transfer fraud” coverage. According to the insurer, the loss was covered under the “social engineering fraud” coverage, which was capped at $50,000 US.
The company challenged the insurer’s interpretation of the policy before the Quebec Superior Court. The court, however, sided with the insurer and held that the loss was only covered under the $50,000 US “social engineering fraud” coverage.
Computer fraud by a third person and funds transfer fraud coverage not available
According to the court, the loss was not covered by the computer fraud by a third person coverage. This coverage was defined as the unlawful taking of money through using a computer system. The court held that this definition referred to the direct act of stealing money through a computer, and not to a situation where, as here, the fraudster duped the company’s employee into voluntarily transferring money into the fraudster’s bank account.
The court then examined whether the loss was covered under the funds transfer fraud coverage. Once again, the court sided with the insurer and held that this coverage was not available to the insured. This coverage was defined as fraudulent instructions issued to a financial institution directing such institution to transfer money from an account maintained by an insured without the insured's knowledge or consent.
According to the court, this coverage is only triggered when the insured’s bank is tricked into transferring money following instructions that were not the insured’s, and which the insured neither had knowledge of nor consented to. In the present case, however, the fraudster never issued fraudulent wire transfer instructions to the company’s financial institution without the company’s knowledge or consent. On the contrary, the financial institution made the payments in question in accordance with expressly authorized instructions by the company.
Court: a case of social engineering fraud
As discussed above, the court held that the loss was actually covered by the social engineering fraud endorsement. This coverage had been presented to the insured as a new endorsement that broadened the coverage afforded under the policy and was to apply where the loss resulted from an insured having transferred, paid or delivered any money as the direct result of social engineering fraud committed by a person purporting to be a vendor, client, or an employee authorized by the insured to instruct other employees to transfer money. The concept of social engineering fraud was defined as the intentional misleading of an employee, through misrepresentation of a material fact that is relied upon by an employee, believing it be genuine.
The court was of the view that the social engineering fraud endorsement explicitly covered the insured’s volitional transfer of funds resulting from a fraudulent scheme perpetrated by a third party who impersonated a legitimate vendor. In reaching its decision, the court relied upon the fact the social engineering fraud loss scenarios described in the brochure provided to the company with the endorsement were very similar to the facts at hand.
Since the endorsement provided for an exclusion stipulating that the social engineering fraud coverage was not affording coverage for loss covered under the computer fraud and funds transfer fraud, the court dismissed the company’s argument that the policy can be reasonably construed to afford double coverage and concluded the only coverage available to the company was the $50,000 US provided under the social engineering fraud coverage.
As online fraud keeps spreading across the world, this Quebec Superior Court judgement provides useful guidance regarding whether loss resulting from such online fraud can be the subject of insurance coverage and, if so, under which specific insuring agreement.