Many organizations have transitioned the bulk of their staff to working from home. While this may reduce the threat posed by COVID-19, it presents new risks for organizations of all kinds and sizes. We have covered numerous cases of fraudsters using email phishing to take advantage of unsuspecting organizations. Fraudsters have become adept at tricking organizations into redirecting vendor payments to fraudster bank accounts. With so many people reliant on email communication, organizations should keep in mind that fraudsters also can work from home.
One recent case is an example of the kind of threat organizations face. Mississippi Silicon Holdings, LLC v. AXIS Insurance Company is the story of yet another organization tricked into sending its vendor payments to fraudsters. Mississippi Silicon manufactures silicon metal, which requires graphitized carbon electrodes. Mississippi Silicon purchased the electrodes from a Russian company, Energoprom. Throughout October 2017, Mississippi Silicon’s CFO emailed with an Energoprom “employee” named “Olga.” “Olga” informed the CFO that Energoprom had changed banks, so Mississippi Silicon should start sending payments to the new account. Over the next several weeks, Mississippi Silicon transferred over $1,000,000 to what later turned out to be a fraudster-owned bank account. The fraud was discovered when a real Energoprom employee inquired about when it would receive payment from Mississippi Silicon.
Mississippi Silicon made a claim for the loss under its cyber-insurance policy provided by AXIS Insurance. The AXIS policy had three potential coverage provisions that could apply to this fraud: social engineering fraud, computer transfer fraud, and funds transfer fraud. The coverage limit for computer transfer and funds transfer fraud was $1,000,000. The coverage limit for social engineering fraud was only $100,000. AXIS acknowledged Mississippi Silicon’s claim under the social engineering fraud provision, and denied coverage under the computer transfer and funds transfer fraud provisions. Mississippi Silicon filed suit against AXIS claiming that the loss was covered under one or both of the $1,000,000 coverage limit provisions.
The United States District Court for the Northern District of Mississippi ruled in favor of AXIS. The court concluded the computer transfer fraud provision did not apply, because coverage under that section was only triggered by losses resulting “directly” from “the fraudulent entry of information into or the fraudulent alteration of any information within a Computer System.” The court explained that while a fraudulent email from “Olga” began the sequence of events that led to the loss, the “direct” cause of the loss was the CFO initiating the wire to the fraudster bank account.
The court determined the funds transfer fraud provision did not apply, because there were no fraudulent instructions provided to Mississippi Silicon’s financial institution. Since the CFO had the authority to, and in fact did, authorize the transfer, the funds transfer fraud provision did not cover the loss.
The court noted that applicability of one coverage provision did not necessarily preclude other coverage provisions from applying. However, in reviewing the entire policy, it was clear that the intention of the parties was to provide exclusive coverage for social engineering losses under the social engineering fraud provision. Thus, the fact that the loss fit within the social engineering coverage provision suggested that other coverage provisions were inapplicable.
Unfortunately, Mississippi Silicon’s case has become a common fact pattern. With so many companies doing business remotely due to COVID-19, the opportunities for fraud have only multiplied. Organizations need to make sure they have strong controls in place to reduce the risk that their payments will be sent to fraudsters instead of their real vendors. Even if organizations have social engineering insurance, they should consider whether their coverage limit is sufficient for the risk they face from a fraudulent transaction. After all, the fraudsters can work from home just as easily as you can.