An October 2016 US decision on an insurance coverage claim involving an elaborate scam to defraud a company shows the lengths to which an insured party has to go in order to ensure coverage for a fraud claim. In Apache Corporation v. Great American Insurance Company, a decision of the United States Court of Appeals, Fifth Circuit, the insured paid a vendor’s invoice to individuals who claimed to be the vendor. However, these individuals had created a fake email address, letterhead, and telephone number and directed the insured to pay the funds to a different bank account than the vendor’s.
The fraud started with a phone call from an individual purporting to be a representative of the vendor, asking the insured to change the bank account information that the insured had on file for payments to the vendor. This was followed by an email from an email address that was almost identical to the vendor’s which attached a letter confirming that the vendor’s bank account information had changed. The letter also requested that future payments be made to the new account.
An employee of the insured then called the phone number on the letterhead (which belonged to the scammers) to verify the account change request and satisfied themselves that the request was authentic. The insured then implemented the account change and, within a week, began paying the vendor’s invoices to the scammers’ account. It wasn’t until a month or so later, when the insured received notification from the vendor that its accounts hadn’t been paid, that the insured figured out what had happened. By then, the insured had paid approximately $7 million USD to the scammers. The insured made a claim under its “computer fraud” policy, which was denied by the insurer.
Ultimately, the US Court of Appeals upheld the denial of coverage on the basis that the fraud was not “computer fraud” because “the email was part of the scheme; but, the email was merely incidental to the occurrence of the authorized transfer of money”. Rather, it was the failure of the insured to properly investigate the new, fraudulent, bank account information provided to it that caused the loss. The court held that, more importantly, “the transfers of funds were not made because of fraudulent information, but because Apache [the insured] elected to pay legitimate invoices. Regrettably, it sent the payments to the wrong bank account. Restated, the invoices, not the email, were the reason for the funds transfers.”
The lesson to be learned is to be diligent in confirming the source of requests for payment and for changes to existing vendor payment instructions.