A device from Traveler Cos. Inc. properly paid a phishing claim under its tort policy’s social engineering fraud coverage and refused to pay under the policy’s computer fraud coverage, which offered much higher limits, a federal district court has ruled.
In March 2021, a still-unidentified bad actor sent fraudulent invoices purporting to be from a vendor to the purchasing manager of Eagen, Minnesota-based SJ Computers LLC, instructing the company to make wire transfers to a bank account number different from the one the vendor had used in the past , according to Friday’s ruling by the U.S. District Court in Minneapolis i SJ Computers LLC v. Travelers Casualty and Surety Co. of America.
The bad actor then hacked into the purchasing manager̵7;s email account and, impersonating him, forwarded the invoices to the company’s CEO for payment.
The CEO left a message with the seller, and after his calls were not returned, authorized the payment and sent two wire transfers totaling $593,555.
After discovering the fraud, the company submitted a proof-of-loss statement seeking coverage under its tort policy’s social engineering coverage, which has an individual loss limit of $100,000, the ruling said. Travelers issued the company a check for $100,000, according to court documents.
Later, however, after apparently realizing it had up to a million-dollar one-time loss limit under its computer fraud coverage, it revised its claim and sought coverage under that provision, the ruling said.
After Travelers accepted coverage under social engineering coverage but refused it under computer fraud coverage, the company sued the insurer, charging it with breach of contract and breach of the duty of good faith and fair dealing.
The district court ruled in favor of the insurer, describing the company’s arguments for computer fraud coverage as ranging “from creative to desperate.”
“The policy clearly anticipates – and clearly addresses – the very situation that gave rise to SJ Computer’s loss, and the policy bends over backwards to clarify that this situation involves social engineering fraud, not computer fraud,” the ruling said.
The ruling adds that even if the company had suffered computer fraud and met all the requirements of the computer fraud insurance policy, an exclusion stating that the policy does not cover losses resulting from “falsified, altered or fraudulent” instructions would have excluded computer fraud coverage.
“SJ Computers is desperately trying to avoid this obvious conclusion and is trying, for reasons that elude the court, to prolong a trial it is destined to lose,” the ruling said, granting Travelers’ motion to dismiss the case.
Attorneys in the case did not respond to requests for comment.
In a comparable case, in July, the Illinois Department of Insurance filed a lawsuit against the entities Hartford Financial Services Group Inc. and Munich Reinsurance Co. in U.S. District Court in Chicago, seeking recovery of $3.98 million stolen in a phishing scheme that targeted two bankrupt auto insurance companies.
A status conference by telephone is set for September 27 in that case.