Social Engineering

Subscribe to Social Engineering

The Eastern District of Pennsylvania recently gave another reminder why cyber insurance should be part of any comprehensive insurance portfolio. In Construction Financial Administration Services, LLC v. Federal Insurance Company, No. 19-0020 (E.D. Pa. June 9, 2022), the court rejected a policyholder’s attempt to find coverage under its professional liability insurance for a social engineering incident that defrauded over $1 million.
Construction Financial Administrative Services, which goes by CFAS, disburses funds to contractors. One of its clients, SWF Constructors, was hacked, and a bad actor posing as the client asked CFAS to distribute $600,000 to a sham third party. John Follmer, an executive at CFAS and the only person authorized to approve distribution of funds, approved it. The next day, the bad actor, again posing as the client, asked Follmer to transfer an additional $700,000. Follmer approved that distribution too.

Continue Reading Don’t Put All Your Eggs in the Silent-Cyber Basket

Social engineering attacks, particularly fraudulent transfers, are becoming one of the most utilized cyber scams.  As a result, there has been a flurry of litigation, and a patchwork of decisions, concerning coverage disputes over social engineering losses.  Most recently, the United States District Court for the Eastern District of Virginia found in Midlothian Enterprises, Inc. v. Owners Insurance Company, that a so-called “voluntary parting” exclusion provision in a crime policy should exclude coverage for a fraudulent transfer social engineering scheme.  The decision illustrates why policyholders must vigilantly analyze their insurance policies to ensure that their coverages keep pace with what has proven to be a rapidly evolving risk landscape.

Continue Reading Voluntary Parting Exclusion Bars Coverage for Social Engineering Scheme

Following a bench trial, the United States District Court for the Eastern District of Virginia found in The Cincinnati Insurance Co. v. The Norfolk Truck Center that a commercial truck dealer’s social engineering loss arose directly from a computer, thereby triggering the dealer’s computer fraud coverage, notwithstanding that the scheme involved numerous non-computer acts in the causal chain of events.  A copy of the decision may be found here.

Continue Reading EDVA Finds Computer Fraud Occurred “Directly” From a Computer Despite Numerous Non-Computer Acts in the Causal Chain of Events

The Second Circuit has rejected Chubb subsidiary Federal Ins. Co.’s request for reconsideration of the court’s July 6, 2018 decision, confirming that the insurer must cover Medidata’s $4.8 million loss under its computer fraud insurance policy.  In July, the court determined that the loss resulted directly from the fraudulent e-mails.  The court again rejected the insurer’s argument that the fraudster did not directly access Medidata’s computer systems.  But the court again rejected that argument, finding that access indeed occurred when the “spoofing” code in emails sent to Medidata employees ended up in Medidata’s computer system.

Continue Reading Second Circuit Stands By Medidata “Spoofing” Decision

In a recent article appearing in Florida’s Daily Business Review (available here), Hunton Insurance Recovery Practice team head, Walter Andrews, explains why phishing and whaling scams should be covered by insurance.  In the article, Andrews notes that recent appellate decisions support policyholders’ reasonable expectations of coverage and reject insurers’ contentions that social engineering losses

In a recent post, we discussed the Sixth Circuit’s holding in American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America, No. 17-2014, 2018 WL 3404708 (6th Cir. July 13, 2018), where the Sixth Circuit reversed the district court’s summary judgment for the insurer, finding coverage under its policy for a fraudulent scheme that resulted in a $834,000.00 loss. The insurer, Travelers, has now asked the Court to reconsider its decision.

Continue Reading Insurance Carriers Tell Circuit Courts To Reconsider Holdings For Coverage In Cybercrime Suits

In a July 9, 2018 article appearing in Insurance Law360, Hunton Andrews Kurth insurance recovery practice head, Walter J. Andrews, explains why the Second Circuit’s decision in Medidata Solutions Inc. v. Federal Insurance Co., No. 17-2492 (2nd Cir. July 6, 2018), affirming coverage for a $4.8 million loss caused by a “phishing” e-mail attack, is a common sense application of the plain language of Medidata’s computer fraud coverage provision.  As Andrews explained, “[c]learly, hijacking — or spoofing — email addresses constitutes an attack on a company’s computer system for which a reasonable policyholder should expect coverage. A computer is a computer is a computer. Everyone knows that — except for insurance companies.”

Continue Reading Hunton Insurance Recovery Practice Head Explains Why Medidata Decision Affirming Phishing Coverage is “Common Sense”

On July 6, 2018, the Second Circuit Court of Appeals affirmed a district court’s summary judgment award in favor of Medidata Solutions, Inc., finding that Medidata’s $4.8 million loss suffered after Medidata was tricked into wiring funds to a fraudulent overseas account, triggered coverage under a commercial crime policy’s computer fraud provision. The decision in Medidata Solutions, Inc. v. Federal Ins. Co., 17-cv-2492 (2d Cir., July 6, 2018), confirms a ruling by District Judge Andrew L. Carter, Jr., in which the district court found that a fraudsters manipulation of Medidata’s computer systems constitutes a fraudulent entry of data into the computer system, since the spoofing code was introduced into the email system.

Continue Reading 2nd Cir. Affirms Medidata’s Spoofing Loss is Covered Under Crime Policy’s Computer Fraud Provision

A recent article published by Securityroundtable.org highlights the vulnerabilities businesses face in a world of e-commerce and interconnectivity, and how proper planning through a tailored cybersecurity program that includes – among other components – appropriate insurance coverage for cyber risks can help prevent a successful attack and mitigate the financial impact should one occur. Whether

In its third quarter report, insurer Beazley reported a nine-fold increase in social engineering attacks (i.e., deception-based fraud/crime) as compared to the same time last year.  So far, the majority of social engineering attacks in 2017 were focused on the professional services sector (18%), followed by financial institutions (9%), higher education (9%) and healthcare (3%).  The report also notes continued high rates of unintended disclosure via employee negligence across all sectors (29%), second only to affirmative hacking or malware attacks (34%).

Continue Reading Beazley Reports Major Increase In Social Engineering Attacks