Business Email Scam Not Covered By Cyber Insurance, Canadian Court Rules

The Business Email Compromise (BEC) scam is jeopardizing millions of dollars for businesses of all sizes and industries.

Just last week, news reports surfaced that business email scams have begun to targets art galleries and art dealers in a malicious plot to infiltrate email servers and scam art buyers into sending B2B payments to fraudulent accounts.

As instances of the BEC scam continue to rise, a new challenge for companies could be on the horizon, too, as questions mount over whether such cyberattacks are covered by cybersecurity insurance. A court in Canada recently ruled on this topic, according to Insurance Business Canada, on Monday (Nov. 6).

In the case, Brick Warehouse LP v. Chubb Insurance Company of Canada, the Alberta Court of Queen’s Bench sided with the plaintiff and ruled that cyber insurance purchased by Brick Warehouse does not cover what reports described as a “social engineering attack.”

Brick was hit with the BEC scam in 2010 when a scammer claiming to be from Toshiba sent a message to the company’s accounts payable (AP) department. The fake email tricked the AP department into sending over payment details via fax.

Days later, another fake email, this time from someone claiming to be a Toshiba controller, told Brick’s accounts payable department that Toshiba’s bank information had changed and advised the AP department to begin making payments to a new account. After more days passed, another scammer called the department to confirm Brick received the new banking information.

According to reports, Brick did not take precautions to confirm that the new banking information was, in fact, a legitimate account owned by Toshiba. Brick sent $338,000 via wire to the fraudulent account.

The fraud was not detected until a legitimate representative from Toshiba contacted Brick to notify the company Toshiba had not been receiving any payments. Brick was able to recover about $113,000 of the transfers, reports said.

Brick submitted a claim to Chubb for about $225,000 in 2011, according to reports, but the insurance company denied to cover the claim on grounds that Brick’s own instructions to transfer money were not fraudulent.

The case may set a precedent that adds another challenge on top of the existing threat of the Business Email Compromise, which, according to research, is a top tactic by fraudsters.

Researchers at TD Bank released a report last June that found a fifth of the companies that were hit with some type of cyberattack or fraud in the last year were victims of a Business Email Compromise.