Court rules social engineering attacks not covered under cyber policy

Case involved the theft of hundreds of thousands of dollars in an elaborate email fraud scheme

Court rules social engineering attacks not covered under cyber policy


By Lyle Adriano

In Brick Warehouse LP v. Chubb Insurance Company of Canada, the Alberta Court of Queen’s Bench has found that a social engineering attack did not fall within the terms of a plaintiff’s cyber policy coverage.

The case and the judgment is significant, as it is one of the first social engineering fraud cases in Canada, Miller Thomson LLP stated in its blog.

Register for our exclusive CE webinar Cyber Insurance 101, and get covered on selling cyber.

In 2010, an individual claiming to be from Toshiba contacted Brick’s accounts payable department. The individual purported that he was new to the company, and that he required some missing payment details. A Brick employee faxed the requested details to a number provided by the caller.

A few days later, another Brick staff member from the accounts payable department received an email from an individual claiming to be the Toshiba controller. That individual advised that Toshiba had changed its bank, and requested that Brick make its payments to the new account.

Search and compare product listings for Cyber Insurance from specialty market providers here

Days passed, and another individual called Brick’s accounts payable department and spoke to the employee who had received the email from the “controller” and received confirmation of the transfer of the banking information. Brick did not take any precautions or steps to verify the validity of the account transfer.

The account transfer resulted in a total of ten Toshiba invoices totalling approximately $338,000 being wired to the fraudulent account. It was only in September 2010 that an actual representative of Toshiba called Brick to inform the company that it had not been receiving payments. Brick was only able to recover about $113,000 of the funds that it had incorrectly transferred.

In December 2011, Brick submitted a claim to Chubb for approximately $225,000. The insurer refused coverage, reasoning that Brick’s instructions to its own bank came from an authorized employee of its own, and that the instructions themselves were not fraudulent.

The Alberta Court of Queen’s Bench heard the case brought by Brick.

While the Court was of the view that the funds were transferred by a Brick employee due to fraudulent emails, it ultimately ruled that the transfer was not directed by a third party, as the fund transfer was done with Brick’s consent.

Related stories:
How to get engaged in cyber broking and learn some expertise
Is today’s control enough to counter tomorrow’s cyber threats?

Keep up with the latest news and events

Join our mailing list, it’s free!