On August 12, 2022, the U.S. District Court for the District of Minnesota dismissed a policyholder’s complaint seeking a declaration that $600,000 in social engineering fraud loss fell within a crime policy’s computer fraud coverage.
The court determined that, instead, the loss fell solely within the policy’s coverage for social engineering fraud, which had limits of $100,000. In so holding, the court rejected what it characterized as frivolous arguments by the policyholder ‘to avoid this obvious conclusion’ and ‘to prolong a lawsuit that it is destined to lose.’
The policyholder, SJ Computers, LLC (SJ Computers), was a provider of refurbished computer parts.
In March 2021, SJ Computers’ purchasing manager received emails purporting to originate from one of its vendors, ERI Direct. The emails attached invoices and instructed SJ Computers to pay them by wire transfer to a bank account number that differed from the account number ERI Direct had used in the past.
The ‘bad actor’ then hacked the purchasing manager’s email account and forwarded the invoices from that account to SJ Computers’ CEO. Despite being unable to contact ERI Direct, the CEO initiated a wire transfer for around $600,000 to the new bank account number.