A recent ruling in a Minnesota District Court distinguished between social engineering and computer fraud. Most important for your business: understand your coverage and the pitfalls.
In summary, the victim in this case fell for a garden variety Business Email Compromise (BEC) based wire fraud. Like many of the victims Conduit has worked with, this one has policies and procedures in place. In fact, the CEO made a phone call to the vendor to verify the change in payment instructions! But, the vendor did not answer and did not return the voicemail before the CEO sent the wire.
The victim filed against Travelers (their carrier) claiming both cyber/computer fraud and social engineering fraud. The victim lost almost $600,000 from this fraud but had only $100,000 of social engineering coverage (compared to $1,000,000 for computer fraud).
To summarize the ruling, the court found:
- the social engineering and computer fraud policies are mutually exclusive and
- this is a social engineering problem despite facts showing that compromised accounts played a role in this crime!
From the ruling:
And [victim] would never have suffered a penny of financial loss if the CEO had not opened those email messages, or if the CEO had asked the purchasing manager about them, or if ERI Direct had answered its phone when the CEO called, or if ERI Direct had promptly returned the voice‐mail message left by the CEO, or if the CEO had waited to hear from ERI Direct before paying the invoices.
If the fraudulent scheme that victimized [the company] is going to be fragmented into pieces and each piece viewed in isolation, then what “directly caused” loss to [the victim] was not the piece involving the bad actor’s use of the purchasing manager’s account to send the fake invoices, but rather the piece involving the CEO’s use of his computer to act on the fake invoices. That piece—the piece that did “directly cause” a “direct loss” to [the victim]—was social‐engineering fraud, not computer fraud…
Based on FBI data, BEC-based wire fraud is causing more losses than ransomware payments. Review your policy (or contact us for a free review) to understand exactly what you have covered under social engineering. Does the policy require your team to have procedures when wiring? Given your typical payment size, is the coverage enough in the event of a loss?
Critically, understand that your cyber or computer fraud policy coverage amount will not apply in these types of events!