Court Holds Social Engineering Fraud Does Not Trigger Computer Fraud Coverage
The United States District Court for the District of Minnesota, applying Minnesota law, has held that an insured’s loss resulting from the insured’s payment of fraudulent invoices received from a bad actor who hacked into the insured’s email system constituted social engineering fraud and did not trigger the policy’s computer fraud insuring agreement. See SJ Computers, LLC v. Travelers Cas. & Surety Co. of Am., 2022 WL 3348330 (D. Minn. Aug. 12, 2022).
The insured, a computer company, was defrauded when a bad actor compromised the email account of the insured’s purchasing manager and sent fraudulent vendor invoices to the insured’s CEO for payment. After a failed attempt to contact the vendor to confirm the new payment instructions provided with the fraudulent invoices, the CEO made the wire transfers, which went to the bad actor.
The insured sought coverage for the loss under a crime insurance policy, which contained a social engineering fraud insuring agreement and a computer fraud insuring agreement. The insured originally sought coverage under the social engineering fraud agreement, but later sought coverage under the computer fraud agreement, which contained a significantly higher limit of liability. The insurer denied coverage under the computer fraud agreement. Coverage litigation ensued.
The court held on a motion to dismiss that the insured’s loss fell “squarely” within the social engineering fraud agreement, noting that the insured’s arguments to establish coverage under the computer fraud agreement ranged from “creative to desperate[.]” First, the court held that the insured’s loss did not fall within the definition of “computer fraud,” which defined computer fraud as “an intentional, unauthorized, and fraudulent entry or change of data or computer instructions directly into a [c]omputer [s]ystem” but excluded any “entry or change . . . made in reliance upon any fraudulent . . . instruction[.]” The court held that the CEO’s conduct fell precisely in the carve-out to the definition. Second, the court held that, even if the bad actor’s hacking could be distinguished from the CEO’s acts, which the court “seriously doubt[ed],” the hacking did not “directly cause” a “direct loss.” That is because the insured “did not suffer a penny of financial loss when the bad actor hit ‘send’ on his email messages” and “would never have suffered a penny of financial loss if the CEO had not opened those email messages.” Thus, the court held that no coverage existed under the computer fraud insuring agreement. The court also noted that while other Minnesota case law interpreted “direct,” those cases were distinguishable as they were not decided in the context of computer fraud or social engineering fraud.