Scammers use spoofed emails to make off with an alarming amount of wrongfully obtained cash. The FBI's Internet Crime Complaint Center received more than 20,000 complaints of business email compromises, representing more than $1.2 billion in losses last year alone. See Federal Bureau of Investigation, “2018 Internet Crime Report,” https://pdf.ic3.gov/2018_IC3Report.pdf.

“Spoofed” emails are used to induce victims to perform actions such as changing payment information to redirect the transfer funds away from the lawful recipient to the scheme's perpetrator: “the practice of disguising commercial email to make the email appear to come from an address from which it actually did not originate. Spoofing involves placing the “From” or “Reply to” lines, or in other portions of email messages, an email address other than the actual sender's address, without the consent or authorization of the user of the email address whose address is spoofed,” see Karvaly v. eBay, 245 F.R.D. 71 (E.D.N.Y. 2007). In short, the scammer sends an email disguised to appear as if it is from someone the recipient thinks they can trust. The scammer may build a rapport with the victim or bolster their credibility with a follow-up phone call. Ultimately, the scammer may induce the victim to wire money to the scammer's bank account and then vanish.

Insurance policies covering computer fraud typically state that to be covered, the computer fraud must be a “direct” cause of the loss, giving insurers room to argue that spoofing emails, which are engineered to induce action by someone within the victim organization, are not a “direct” enough cause of loss. Consider the following samples of policy language:

Computer fraud means an intentional, unauthorized, and fraudulent entry or change of data or computer instructions, directly into or within, a computer system that:

• Is not made by an insured person; and
• Causes money, securities or other property to be transferred, paid, or delivered from inside the insured entity's premises or the insured entity's financial institution premises to a place outside such premises.

And the company will pay the insured for the insured's direct loss of, or direct loss from damage to, money, securities and other property directly caused by computer fraud.

However, policyholders should be assured that courts are trending towards finding that spoofing attacks are a direct cause of loss even if, by design, they succeed by inducing another party to act.

Just over a year ago, the U.S. Court of Appeals for the Second Circuit rejected an insurer's argument that a spoofed email attack was not computer fraud as defined in the applicable policy because it did not involve direct access into the victim's computer system, see Medidata Solutions v. Federal Insurance, 2018 U.S. App. LEXIS 18376 (2d Cir. July 6, 2018). In Medidata, spoofed emails induced a Medidata employee to wire payment to the perpetrator. A fraudster used spoofed emails to send messages disguised to appear as if they came from Medidata's president to a staff member on the accounts payable team, instructing her to initiate a wire transfer purportedly for a confidential acquisition of another company. In fact, the employee sent money to the scammer's bank account. Medidata did not realize the fraud occurred until after more than $4.7 million had been transferred.

Medidata sought coverage from its insurer under the computer fraud provision of its policy, which defined computer fraud as “the unlawful taking or the fraudulently induced transfer of money, securities or property resulting from a computer violation.” The Second Circuit rejected the insurance company's argument that Medidata did not suffer a “direct loss” from the spoofing attack, but rather the intervening step of a Medidata employee transferring funds caused the loss. The court held that the spoofing emails were the proximate cause of Medidata's loss: “Medidata employees themselves had to take action to effectuate the transfer, [but] we do not see their actions as sufficient to sever the causal relationship between the spoofing attack and the losses incurred.”

Other courts are now following suit. In American Tooling Center v. Travelers Casualty & Surety,  895 F. 3d 455 (6^th Cir. 2018), the U.S. Court of Appeals for the Sixth Circuit reversed summary judgment for Travelers in a case where Travelers denied coverage to a manufacturer that wired money after receiving a fraudulent email from a party impersonating its vendor. ATC had transferred $834,000 to a fraudulent account after receiving spoofed emails that purported to be from its vendor, stating that it had switched its bank account. ATC's policy with Travelers provided coverage for “direct” computer fraud: “The company will pay the Insured for the Insured's direct loss of, or direct loss from damage to, money, securities and other property directly caused by computer fraud.” Interpreting Michigan law, the Sixth Circuit adopted the definition of “direct” from an unpublished Michigan Court of Appeals opinion defining a direct loss “as one resulting from an 'immediate' or 'proximate cause'.” The court rejected Travelers' argument for a narrower definition of “direct” as “immediate.”

The Sixth Circuit provided a simplified analogy: “Imagine Alex owes Blair five dollars. Alex reaches into her purse and pulls out a five-dollar bill. As she is about to hand Blair the money, Casey runs by and snatches the bill from Alex's fingers. Travelers' theory would have us say that Casey caused no direct loss to Alex because Alex owed that money to Blair and was preparing to hand him the five dollar bill. This interpretation defies common sense.”

While courts appear to be trending toward a unified position that spoofing attacks are a “direct” cause of loss, it is not yet black letter law. The U.S. District Court for the District of New Jersey was hesitant to rule that spoofing emails were a “cause” of a loss at the motion to dismiss stage but left the door open for such a finding after discovery in Children's Place v. Great American Insurance, D.N.J. No. 18-11963 (D.N.J. 2019). The policy at issue in Children's Place provided coverage for computer fraud, defined as “loss resulting directly from the use of any computer to impersonate you, or your authorized officer or employee, to gain direct access to your computer system … and thereby fraudulently cause the transfer of money.” Children's Place brought a declaratory judgment action when its insurer denied coverage under this provision. The insurance company argued that Children's Place's complaint did not allege that the hacker's spoofing attack did not cause the transfer of money.

Despite the still-limited body of caselaw interpreting computer fraud provisions in the context of spoofed emails, the trend toward finding coverage is clear. While insurers argue that an email spoofing scheme, by design, calls for an intervening act from within the insured's organization, that act can be considered part of the computer fraud scheme and therefore coverage for such losses exists.

Megan K. Shannon is an associate in Offit Kurman's insurance recovery group in the firm's Philadelphia office. Contact her at [email protected] or 267-338-1328.