October 16, 2020 by Greg Meckbach
An electronics distributor that lost nearly $2.7-million because its accounts payable staff were duped by fraudsters cannot claim under policy wording covering funds transfer fraud, a Quebec court has ruled.
In Future Electronics Inc. (Distribution) Pte Ltd. v. Chubb Insurance Company of Canada, released Sept. 29, Quebec Superior Court Justice Suzanne Courchesne ruled that the claimant can only recover $50,000 due to a sub-limit in its Chubb policy for social engineering fraud.
Justice Courchesne further ruled that Future Electronics is not covered for these crimes under wording in the Chubb policy related to “computer fraud by a third party” or for “funds transfer fraud.” The claimant would not have recovered any money on its insurance policy were it not for the social engineering endorsement (with the $50,000 sub-limit) added to its “executive protection” policy with Chubb Canada in 2015.
Pointe Claire-based Future Electronics has accounts payable staff in Singapore. They were duped into making electronic funds transfers to bank accounts controlled by criminals who impersonated the chief financial officer of a legitimate supplier. Those payments were made towards legitimate invoices received from the supplier. So while the invoices were sent by actual employees of the supplier, the instructions to change the supplier’s banking information were not. So the criminals fooled the insured’s accounts payable staff into transferring the money to the criminals’ bank account and not the supplier’s actual bank account.
In October and November of 2016, an accounts payable person in Singapore with Future Electronics received emails purporting to be from a supplier’s chief financial officer, instructing Future Electronics to change the supplier’s banking information. Two more instructions were sent in the following months. Those instructions used the real name of the supplier’s CFO but did not actually originate from the CFO’s real email address. Instead, they came from an email containing the CFO’s real first and last name but one setup by the criminals.
In the meantime, the Future Electronics payables team was receiving legitimate invoices from a person working for the supplier.
So between Nov. 10, 2016 and Jan. 25, 2017, Future Electronics made a total of $2.7 million in electronic funds transfer payments on four legitimate invoices from the supplier. But all four were made to the bank accounts controlled by the criminals pretending to be the CFO of the supplier.
On Jan. 28, 2017, a real employee of the supplier contacted Future Electronics complaining about unpaid bills. That triggered more communication between Future Electronics payables staff and real employees of the supplier.
As a result, Future Electronics learned that the email address that Future Electronics staff thought belonged to the supplier’s CFO was incorrect. On Feb. 2, the supplier told Future Electronics that the “official letters” to Future about changing the supplier’s banking information were actually fake.
Future Electronics sent a proof of loss in February 2017 to Chubb under its executive protection policy.
Chubb responded in June asserting that Future could only recover $50,000, the sub-limit under an endorsement for social engineering fraud. That covers loss “resulting from an Insured having transferred, paid or delivered any Money or Securities as the direct result of Social Engineering Fraud committed by a person purporting to be a Vendor, Client, or an Employee who was authorized by the Insured to instruct other Employees to transfer Money or Securities.”
Future Electronics took Chubb Canada to court in Quebec, arguing that two other sections of the policy (without $50,000 sub-limits) created coverage for the $2.7-million loss. One was “Funds Transfer Fraud by a Third Party” coverage. The other was for “Computer Fraud by a Third Party.”
The Court’s Analysis
The Computer Fraud by a Third Party coverage under the policy is for “the unlawful taking of Money, Securities or Merchandise through the use of any Computer System.” The policy defines computer system as “computer or network with its input, output, processing, storage and communication facilities, and shall include off-line media libraries.”
This means coverage only applies if a criminal uses a computer system to directly steal money that belongs to the insured, Chubb argued. It does not apply just because the criminal uses email to manipulate employees of the insured.
Future Electronics argued that if it were not for the fact that the criminal used a computer, there would not have been a loss.
Justice Courchesne sided with Chubb on this point, noting that email was the communication method used by the criminals. So the policy wording, for using a computer to steal money, cannot be construed so broadly as to include the use of a computer in “an incidental or minor way” such as using the computer to send emails to lie to employees.
The criminals did not steal Future Electronics’ money by the means of their computer system, wrote Justice Courchesne. Instead, they unlawfully caused a transfer of Future Electronics’ money by using email to intentionally mislead its employees. The method of fraud was the misleading of employees, not the use of the computer.
As for the “Funds Transfer Fraud” wording in the Chubb policy, this coverage is triggered when the insured’s bank is tricked into transferring money following instructions that were not the insured’s – and to which the insured neither had knowledge of nor consented, wrote Justice Courchesne.
The policy defines Funds Transfer Fraud as “the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver Money or Securities from any account maintained by an Insured at such institution, without an Insured’s knowledge or consent.”
Future Electronics argued the criminals got the money by using fraudulent written instructions to direct the transfer of funds by Future’s financial institution to criminals, unbeknownst to Future. Future Electronics argued it did not knowingly agree or consent to the payments.
Justice Courchesne countered that a Future Electronics employee specifically authorized the financial transactions, and that the payments were reviewed and approved by both of that employee’s superiors at Future Electronics. So Future Electronics did in fact know about and consent to the payments, the court found.
The judge noted the policy also has an exclusion for “loss due to an Insured knowingly having given or surrendered Money, Securities or Property in exchange or purchase to a Third Party, not in collusion with an Employee.” There is an exception in that exclusion for money orders and counterfeit currency fraud.
Feature image via iStock.com/Andrii Dodonov