A Texas manufacturing firm is suing its cyber insurance provider for refusing to cover a $480,000 loss following an email scam that impersonated the firm’s chief executive.
At issue is a cyber insurance policy issued to Houston-based Ameriforge Group Inc. (doing business as “AFGlobal Corp.“) by Federal Insurance Co., a division of insurance giant Chubb Group. AFGlobal maintains that the policy it held provided coverage for both computer fraud and funds transfer fraud, but that the insurer nevertheless denied a claim filed in May 2014 after scammers impersonating AFGlobal’s CEO convinced the company’s accountant to wire $480,000 to a bank in China.
According to documents filed with the U.S. District Court in Harris County, Texas, the policy covered up to $3 million, with a $100,000 deductible. The documents indicate that from May 21, 2014 to May 27, 2014, AFGlobal’s director of accounting received a series of emails from someone claiming to be Gean Stalcup, the CEO of AFGlobal.
“Glen, I have assigned you to manage file T521,” the phony message to the accounting director Glen Wurm allegedly read. “This is a strictly confidential financial operation, to which takes priority over other tasks. Have you already been contacted by Steven Shapiro (attorney from KPMG)? This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations. Please do no speak with anyone by email or phone regarding this. Regards, Gean Stalcup.”
Roughly 30 minutes later, Mr. Wurm said he was contacted via phone and email by Mr. Shapiro stating that due diligence fees associated with the China acquisition in the mount of $480,000 were needed. AFGlobal claims a Mr. Shapiro followed up via email with wiring instructions.
After wiring the funds as requested — sending the funds to an account at the Agricultural Bank of China — Mr. Wurm said he received no further correspondence from the imposter until May 27, 2014, when the imposter acknowledged receipt of the $480,000 and asked Wurm to wire an additional $18 million. Wurm said he became suspicious after that request, and alerted the officers of the company to his suspicions.
According to the plaintiff, “the imposter seemed to know the normal procedures of the company and also that Gean Stalcup had a long-standing, very personal and familiar relationship with Mr. Wurm — sufficient enough that Mr. Wurm would not question a request from the CEO.”
The company said it attempted to recover the $480,000 wire from its bank, but that the money was already gone by the 27th, with the imposters zeroing out and closing the recipient account shortly after the transfer was completed on May 21.
In a letter sent to Chubb to the plaintiff, the insurance firm said it was denying the claim because the scam, known alternatively as “business email compromise” (BEC) and CEO fraud, did not involve the forgery of a financial instrument as required by the policy.
“Federal disagrees with your contention that forgery coverage is implicated by this matter,” the insurer wrote in a Oct. 9, 2014 letter to AFGlobal. “Your August 12 letter asserts that ‘[t]he Forgery by a Third Party in this incident was of a financial instrument.’ Federal is unaware of any authority to support your position that the email you reference qualifies as a Financial Instrument (as that term is defined by in the Policy).
According to Chubb, to be a financial instrument, the subject email must be a check, draft, or a similar written promise, order or direction to pay a sum certain in money that is made, drawn by or drawn upon an Organization or by anyone acting as an Organization’s agent, or that is purported to have been so made or drawn.
“Your August 12 letter appears to argue that ‘[t]he email constituted an order or direction to pay’ because Mr. Shapiro’s May 21, 2014 email contained wire transfer instructions as to where the funds (apparently discussed in a separate phone conversation between ‘Mr. Shapiro’ and Mr. Wurm) were to be sent,” the insurance firm told AFGlobal. “This argument ignores the fact that what defines a Financial Instrument under the Policy is not merely the existence of a written promise, order or direction to pay, but a written promise, order or direction to pay that is ‘similar’ to a ‘check’ or ‘draft.’
The insurer continued:
“In the context of a commercial crime policy, ‘checks’ and ‘drafts’ are widely understood to be types of negotiable instruments. They represent unconditional written orders or promises to pay a fixed amount of money on demand, or at a definite time, to a payee or bearer, and they can be transferred outside of the maker or drawer’s control. The email at issue in this matter — which is not negotiable — is in not way similar to these types of instruments.”
Chubb’s claim in this case and its definition of a financial instrument would seem to be dated enough that they also might discount transfers from e-checks or deposits scanned and sent over the phone — although the documents in this case do not touch on those instruments. Chubb’s definitions of what constitutes a financial instrument are laid out in this document (PDF).
Law360 notes that this is actually the second time in the past year that Chubb Corp. unit Federal Insurance was taken to court over coverage after its policyholder was fraudulently swindled out of money.
“Research technology company Medidata Solutions Inc. sued Federal in February for denying reimbursement of $4.8 million after a company employee, also contacted by a fake CEO and fake attorney, instructed him to also wire the money to a Chinese bank,” wrote Steven Trader for Law360. “Though Medidata argued that the imposter changed the email code to alter the sender’s address and include the CEO’s forged signature, thereby constituting a “fraudulent” change in data that triggered coverage, Federal fought back in New York federal court that its policy only covered hacking, not voluntary transfers of money.”
BEC or CEO Fraud schemes are an increasingly common and costly form of cybercrime. According to the FBI, thieves stole nearly $750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015.
CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name. For example, if the target company’s domain was “example.com” the thieves might register “examp1e.com” (substituting the letter “L” for the numeral 1) or “example.co,” and send messages from that domain.
In these cases, the fraudsters will forge the sender’s email address displayed to the recipient, so that the email appears to be coming from example.com. In all cases, however, the “reply-to” address is the spoofed domain (e.g. examp1e.com), ensuring that any replies are sent to the fraudster.
On the surface, business email compromise scams may seem unsophisticated relative to moneymaking schemes that involve complex malicious software, such as Dyre and ZeuS. But in many ways, the BEC attack is more versatile and adept at sidestepping basic security strategies used by banks and their customers to minimize risks associated with account takeovers. In traditional phishing scams, the attackers interact with the victim’s bank directly, but in the BEC scam the crooks trick the victim into doing that for them.
The FBI urges businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media.