Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
September 17, 2018
Insuring against Business Email Compromise Fraud
In July, an FBI public service announcement reported that global losses from business email compromise (BEC) fraud exceeded $12.5 billion in the four-and-a-half years from October 2013 to May 2018. Important to managing any fraud is a good risk management strategy, as my colleague recently discussed. The table lists some of the strategies you can use to protect yourself against BEC.
|Risk Management Strategy Elements||Description||Example|
|Avoidance||Implement policies and procedures to avoid risk.||Accept no payment transaction instructions via email.|
|Mitigation||Use controls and policies to reduce risk.||Require dual authorization for large-value payments.|
|Transfer||Transfer the losses associated with a fraudulent event.||Purchase an insurance policy.|
|Acceptance||Budget for fraud losses and litigation/fines related to security incident.||Maintain funds in a reserve account.|
This post will focus on risk transfer—specifically, it will discuss some appellate court legal developments on insurance policies and coverage related to BEC scams. This post is not intended to offer legal advice but rather, by highlighting rulings in three recent cases, to illustrate some of the challenges associated with BEC scams and transfer strategies using insurance policies. The question is whether or not the computer fraud coverage in a commercial crime policy covers losses from social engineering fraud such as BEC or payment instruction fraud. Judgments in three recent cases have been mixed, one in favor of the insurance company and two others in favor of the compromised businesses.
In April, the Ninth Circuit Court of Appeals ruled that Aqua Star's losses stemming from payment instruction fraud, a type of BEC scam, were not covered under its computer crime insurance policy. In this case, a criminal posing as a vendor of Aqua Star duped an employee through email to change the vendor's bank account information. More than $700,000 was wired from the company to the criminal's account. The court found that, even though the criminal used electronic means to dupe the employee, the Aqua Star insurance policy did not cover the loss because an authorized employee accessed the company's systems and changed the wiring instructions.
In contrast, in July, appellate courts ruled in favor of two businesses that sought coverage from loss of funds to a BEC scam. In the first, a BEC scheme victimized Mediadata to the tune of nearly $4.8 million. An accounts payable clerk was tricked into wiring money into a criminal's account with an email that appeared to be from the company's president and a spoofed phone call that seemed to be from a Mediadata attorney. The Second Circuit Court of Appeals concluded that, in this instance, Mediadata was covered by its computer fraud policy because the fraudster used a computer code to alter a series of email messages to make them appear legitimate—even though Mediadata computers weren't directly hacked.
Then one week later, the Sixth Circuit Court of Appeals ruled in favor of American Tooling Center (ATC). This company was also victimized by a BEC scheme and lost more than $800,000. In this case, the money was wired to a criminal's bank account after the perpetrator intercepted emails between ATC and a vendor and then began impersonating the vendor. The court rejected the insurance company's argument that the losses were excluded because an ATC employee caused the loss by changing the payment instructions. Instead, the court determined that computer fraud does not require unauthorized access to a company's computer systems and that a company can claim a direct loss as a result of an employee being duped.
These cases show the difficulty in understanding what types of fraud losses might be specifically covered under your insurance policy since the courts do not always agree. Some insurance companies now offer separate BEC riders, which could prove valuable in the event you are a victim of this fraud. Because the crimes can result in significant losses, it is also important to know how much coverage is available under commercial crime policies, and imperative to ensure that the coverage is sufficient for losses that can arise from this type of fraud. Are you insuring your company from BEC fraud?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud