A Minnesota computer store that sued its insurance provider for crime was dismissed, with the courts saying it was a clear case of social engineering, a crime for which the insurer had only a fraction of total losses to cover.
SJ Computers claims in a November lawsuit [PDF] that Travelers Casualty and Surety Co. owed her far more than she paid for a nearly $600,000 claim based on a successful claim business email compromise (BEC) attack.
According to its website, SJ Computers is a Microsoft Authorized Refurbisher that resells Dell, HP, Lenovo and Acer products and provides technical services including software installations and upgrades.
Travelers, which filed a motion to dismiss, said SJ’s policy draws a clear line between computer fraud and social engineering fraud. The movement was granted [PDF] with prejudice last Friday.
In the termination order, the U.S. District Court for Minnesota found that the two policy agreements were mutually exclusive, noting that SJ’s lawsuit fell directly under its social engineering fraud agreement with Travelers, which has a $100,000 cap .
When SJ filed his lawsuit with Travelers, the court found that it was only under the social engineering fraud deal. After SJ Computers realized that the policy limit for computer fraud was ten times higher, “SJ Computers” put forward a range of arguments – from the creative to the desperate – to convince Travelers that its loss was not the result of social engineering fraud (as SJ Computers itself initially said) but the result of computer fraud,” the district judge wrote in the order.
The SJ Computers case is a fairly well-worn case of BEC, where an attacker gains access to a legitimate email account, which they use to trick a company into transferring money or sensitive data to an attacker’s control to send accounts.
In SJ’s case, an attacker sent fake invoices to SJ’s purchasing manager and then gained access to the purchasing manager’s email account in a manner not specified in the lawsuit or termination order.
Once inside, the attacker mailed the purchase agreements to SJ’s CEO, who usually signs off such orders, court documents say. Because the fraudulent invoices included a change in bank account information, the CEO called the seller to confirm, but received no response before the deadline stated on the invoice.
With no response, SJ initiated two transfers totaling $593,555 and did not detect the scam before the payments were processed.
According to the court’s dismissal motion, Travelers defines computer fraud, which it covers up to $1 million, as “the intentional, unauthorized, and fraudulent input or alteration of data or computer instructions directly into a computer system.” At the same time, Travelers’ Computer Fraud Policy states that such inputs or changes made by employees or authorized persons based on fraudulent instructions are not covered.
Social engineering fraud, under which Travelers has agreed to insure SJ, is defined in the policy as “the willful misleading of an employee or authorized person by an individual impersonating [vendors, clients, employees or authorized persons] through the use of a communication.”
“The complaint indicates that the loss of SJ Computers falls under the Social Engineering Fraud Treaty and not the Computer Fraud Treaty,” the order reads.
It went on:
According to Chief District Judge Patrick Schiltz, who handed over the order, this case is breaking new legal ground. In the statement, Schiltz noted that both SJ’s lawsuit and Travelers’ motion to dismiss cite just three other cases from different jurisdictions that “analyze the concept of direct causality in the context of computer or social engineering fraud.” .
All of these cases had one major difference in common, the court pointed out — none of them involved insurance policies that cover both computer and social engineering fraud, or clarify that the two types of fraud are distinct, mutually exclusive categories.
This case is therefore less a litmus test for the future of legal disagreements over Social Security payments than it is an examination of a close reading of contracts.
“[Travelers’] The policy clearly anticipates – and clearly addresses – the situation that led to the loss of SJ Computers, and the policy leans far backwards to make it clear that this situation is social engineering fraud and is not computer fraud,” said Schiltz. ®
https://www.theregister.com/2022/08/16/social_engineering_cyber_crime_insurance/ Social engineering, computer fraud decided separately by law • The register