Companies of all sizes have fallen victim to attacks whereby fraudsters will use deceptive communications, such as spoofed emails, to trick an employee into transferring money into the fraudsters’ control. While these increasingly prevalent schemes are an ever-present risk for businesses, the body of case law finding these losses covered under crime insurance policies continues to develop. In a previous post, we discussed decisions from the Second Circuit and Sixth Circuit that have found coverage under crime policies for phishing-related losses. Now, with its decision in Principle Sols. Grp., LLC v. Ironshore Indem., Inc., 944 F.3d 886 (11th Cir. 2019), the Eleventh Circuit has held that such losses are covered by policies insuring against fraudulent instructions.
The facts of Principle followed a pattern seen in many phishing schemes. A fraudster, impersonating Principle Solutions Group, LLC’s managing director, sent the company’s controller an email requesting that she work with a specified lawyer to make a wire transfer in connection with an acquisition. Id. at 888-89. That fake lawyer then emailed the controller with wire instructions. Id. at 889. The fraud protection service at Wells Fargo put a hold on the wire and asked the controller to verify its legitimacy. Id. The controller then confirmed with the fake lawyer, by phone, that the managing director had approved the transaction, and after she relayed that information to Wells Fargo, the hold was lifted and the money was transferred to the fraudster’s bank account in China. Id. Only two hours after the initial email, Principle had lost $1.7 million.
Principle sought coverage under its crime insurance policy which protected against losses resulting from fraudulent instructions. Specifically, it covered “[l]oss resulting directly from a fraudulent instruction directing a financial institution to debit [Principle’s] transfer account, and transfer, pay or deliver money or securities from that account.” Id. A “fraudulent instruction” was defined as an “electronic or written instruction initially received by [Principle], which instruction purports to have been issued by an employee, but which in fact was fraudulently issued by someone else without [Principle’s] or the employee’s knowledge or consent.” Id. at 890.
In denying coverage, the insurer asserted that (1) the email that purported to be from the managing director did not trigger coverage because it did not instruct the controller to wire a specific amount of money, and (2) the email from the fake lawyer that actually provided the wire instructions did not qualify as a fraudulent instruction because it did not purport to be from a Principle employee. Id. at 890-91. The Eleventh Circuit rejected these arguments and found that these emails together constituted a covered fraudulent instruction. It reasoned that “reading the emails together leaves no doubt that they were part of the same fraudulent instruction. [The fake lawyer’s] email supplemented the email purporting to be from [the managing director], which cloaked [the fake lawyer] with the authority to give additional details.” Id. at 891.
Separately, the insurer argued that the loss was not covered because it did not result “directly from” the fraudulent instruction. Id. The insurer asserted that the term “directly” requires an “‘immediate’ link between a fraudulent instruction and a loss,” and that this requirement was not met because the loss here “depended on [the controller’s] conversations with [the fake lawyer] and Wells Fargo.” Id. The Eleventh Circuit again rejected the insurer’s argument and held that the phrase “resulting directly from” requires only proximate cause which “encompasses ‘all of the natural and probable consequences’ of an action ‘unless there is a sufficient and independent intervening cause.’” Id. at 891-92 (emphasis in original). The court found that the communications with the fake lawyer and Wells Fargo did not qualify as intervening causes because they were foreseeable consequences of the managing director’s purported email, and thus the causation requirement was met. Id. at 892-93.
Finding no merit in the insurer’s position, the Eleventh Circuit deemed the phishing loss covered under the policy.
As phishing schemes continue to threaten businesses everywhere, insurance is one tool that companies can use to protect themselves from these potentially devastating losses. Insurers now offer social engineering coverage that explicitly covers phishing-related losses. However, the Second and Sixth circuits have previously recognized that these schemes can constitute covered Computer Fraud, and with the Eleventh Circuit now finding that a phishing email qualifies as a covered Fraudulent Instruction, the avenues for policyholders to seek coverage for phishing losses continues to grow.