KnowBe4 Security Awareness Training Blog

Insurance Company On The Hook for 1.7 Million Dollars After Denying BEC Scam Claim

Written by Stu Sjouwerman | Dec 12, 2019 8:11:49 PM

An article in the insurance Journal reports that the 11th Circuit Court in Atlanta agreed with a district court ruling that insurance company "Ironshore" is still on the hook for paying a claim to Principal Solutions Group arising from a BEC (Business Email Compromise, or CEO fraud) scam resulting in the loss of about $1.7 million dollars. 

Principle Solutions Group, had a commercial crime policy, which limited liability to losses resulting directly from fraudulent instructions to a financial institution. The district court concluded that the policy covered the loss and granted partial summary judgment to Principal Solutions Group.

Ironshore then appealed the case to federal court and argued it didn't have to pay the claim since the company violated the policy terms by having further communications with the Wells Fargo's fraud department and the scammer fake attorney.   

Here's how the BEC scam went down according to Insurance Journal. 

A Typical BEC Scam 

"Principle was scammed in July 2015 through an email purporting to be from managing director Josh Nazarian to controller Loann Lien. The email said that Principle has been working on a “key acquisition” and asked Lien to wire the money as soon as possible. The email instructed Lien to seek instructions from “attorney Mark Leach” with a London law firm, Bird & Bird."

"An email from someone purporting to be Leach followed five minutes later. He instructed Lien to wire the money to a bank in China. Later, the man who called himself Leach told Lien that Nazarian and approved the transfer. "

" A Wells Fargo fraud prevention investigator called Lien to verify that the wire transfer was legitimate. Lien called Leach to verify how he had received instructions. The imposter said he had spoken with Nazarian on the telephone. Lien relayed that information to Wells Fargo, which released a hold that had been placed on the wire."

"Lien learned that she had been hoodwinked when she spoke to Nazarian the next day. The company promptly reported the fraud, but law enforcement was not able to recover the money." 

Conclusion 

The federal court rejected IronShore's arguments and affirmed that " No unforeseeable cause intervened between Nazarian’s purported email and Principle’s loss. The loss unambiguously “resulted directly from” the fraudulent instruction. This may be good news for those who have general policies.  Unfortunately, the intricacies of coverage of social engineering and BEC (Business Email Compromise) scams are still being hammered out in the courts. 

Companies should carefully read their insurance policies to determine if they have proper coverage for social engineering as well as other cyber coverages.

 Insurance journal has the story