A fraudster impersonating either a company executive or an outside vendor communicates a request for funds, usually by email, to an employee with the authority or ability to perform the transaction. Too often, the employee falls for the scheme, fails to verify the request and the money is long gone by the time the company discovers that it has been defrauded. Call it what you will—payment instruction fraud, social engineering fraud, imposter fraud, vendor fraud, fake president fraud, business email compromise scam—there are many labels for the conduct and an even larger variety of schemes through which criminals have sought to defraud companies by persuading employees to unwittingly transfer company funds to accounts controlled by the criminals.
Where the lost funds are significant, companies have sought to recover the loss from their insurers under the computer fraud coverage section of their crime insurance policies. These insurance claims have sprouted a series of lawsuits across the country between the insurance companies and their insureds. Typically, the insurers have denied the claims if the use of the computer in the scheme was limited simply to communication by email. The insurers have taken the position that computer fraud coverage does not respond unless there is some computer activity integral to the scheme—such as hacking or other infiltration of the computer system—above and beyond mere email communications from the fraudster to the company employees. Court decisions have been less than a model of consistency, in part because the governing policy language can vary from policy to policy.
