In Apache Corp. v. Great American Ins. Co., 2016 U.S. App. LEXIS 18748 (5th Cir. Oct. 18, 2016), the United States Court of Appeals for the Fifth Circuit held that loss from a phishing scam, which led to misdirected payments in the amount of $7 million, was not covered under a policy’s computer fraud coverage. Although the fraudulent scheme was initiated through emails, the court held that the emails were too incidental to classify the insured’s subsequent loss as one “resulting directly from the use of any computer to fraudulently cause a transfer of that property.”
The facts of the case are straightforward and serve as a good illustration as to why double verification practices should be practiced by every company as a preventive measure against cyber fraud. In the case, the insured, Apache Corporation was an oil-production company. An employee in Scotland received a telephone call from a person identifying herself as a representative of Petrofac, an Apache vendor. The caller instructed Apache to change the bank-account information for payments Apache made to Petrofac. The Apache employee replied that the change-request could not be processed without a formal request on Petrofac letterhead. Id. at *2.