Court Rules Social Engineering Scam Not Covered Under Bank’s Forgery and Unauthorized-Signatures Policies
Nobody at the bank noticed the second “i.”
It was there, however—one extra letter in the otherwise dead-on email address of a fraud asking to wire money to Singapore in the name of the bank CEO’s wife.
That oversight plus an undetected forged signature and the failure of two bank managers to verify money-transfer requests with callbacks enabled the scammer to wire overseas a total of more than $2.7 million in a series of 12 emails and started a dispute between the bank and an insurer over whether the loss was covered.
The dispute, a social-engineering case that addresses some of the coverage issues associated with such claims, entered a new chapter February 11, 2020, with a successful motion for summary judgment by the insurer’s defense team, Goldberg Segalla partners Joseph A. Oliva and Christian A. Cavallo. Joe and Chris’s motion led a federal judge to dismiss two of the three counts of alleged breach of contract in the bank’s suit against the insurer, those involving a Financial Institution Bond policy covering loss by forgery and a rider covering loss by unauthorized signature. The court required additional briefing on the remaining breach-of-contract dispute, over a policy designed to cover losses directly resulting from the use of a computer.
The case is a window on the rise of social-engineering attacks, in which a scammer, usually through technology, tries to trick someone into divulging information or taking some kind of action. Phishing attacks increased 17 percent in the first quarter of 2019, according to a report by the data-security company FireEye, HTTPS attacks by 26 percent. Such attacks affect all industries and often focus on deceiving the CEO or another senior leader, according to healthdatamanagement.com. On its website, cyber-security company Norton states, “The fraudster is hoping to appeal to the employee’s desire to help a colleague and, perhaps, act first and think later.”
So it was in the bank case, in which all of the fraudulent emails were designed to appear sent by the bank CEO’s wife. The bank received the emails—13 in all and each requesting a money transfer—over the course of nine days in April 2012. The first 12 were successful, but the 13th, coming a day after two requests that promised they “should be the final wires to Singapore,” led a bank manager finally to call the CEO’s wife and discover the scheme.
The bank first filed a claim with another insurer and through arbitration recovered $1 million. In October 2017 the bank filed an amended claim against Goldberg Segalla’s client, seeking $1.7 million in coverage under two policies and three insuring agreements. Under the Financial Institution Bond’s forgery-insuring agreement, coverage was to be afforded if the bank transferred money relying on a “written, original” transfer request. But the request to wire money had come via a PDF attached to an email, so the insurer denied coverage.
Goldberg Segalla’s client contended that the bank’s failure to follow its own procedures with callbacks caused the loss, precluding coverage. The bank contended that its loss was caused by receipt of fraudulent wire transfers and is therefore covered. The insurer countered that the bank was precluded from coverage by its arbitration award asserting a different cause in the case.
MORE ON GOLDBERG SEGALLA’S GLOBAL INSURANCE SERVICES GROUP:
Goldberg Segalla is one of the premier law firms advising and representing the global insurance and reinsurance industry. Its 75-lawyer Global Insurance Services group, which Law360 ranks among the largest in the United States, exists to serve insurers, reinsurers, and all others operating in the insurance arena.