The $2 Million Phish
Posted on 02/04/2019 at 12:48 PM by John Lande
Earlier this year, the Tokyo fish market grabbed headlines when a blue fin tuna sold for a record $3 million. Less well publicized was a phish that reeled in $2 million for fraudsters from the city of Farmington, Connecticut in 2016.
News stories about cybersecurity incidents involving phishing are routine. However, just because phishing schemes are a well-known attack vector does not lessen the risk that organizations face from these schemes. The town of Farmington, Connecticut learned that lesson when city coffers lost over $2 million to fraudsters.
The scheme began like so many others covered by this blog. Fraudsters sent a key town employee emails disguised so they appeared to come from a vendor for an ongoing sewer project. Fraudsters convinced the employee to send electronic funds transfers worth $2,042,448 to fraudsters. The employee thought the funds were going to pay off the town’s real vendor. The town discovered the fraud when the real vendor inquired about its unpaid invoices. The town was only able to recover $891,386 from intermediary banks.
The town submitted a claim for over $1 million to its insurer under a computer and funds transfer fraud coverage clause. Argonaut, the insurance company, denied the claim. The town then filed a lawsuit against the carrier and its insurance agent. The town disputed the insurance company’s claim that the policy did not provide coverage, and argued that if the insurance company was right then the insurance agent should be liable for failing to inform the town about coverage limits.
On December 27, 2018, the Connecticut state court issued a preliminary ruling dismissing the town’s claim that the insurance agent owed the town a fiduciary duty. The court explained that simply because a professional possesses greater expertise in a particular area does not necessarily create a fiduciary duty. The insurance agent could, however, still be liable under the town’s negligence and breach of contract theories. Moreover, the insurance company could still be liable to cover the losses.
This case is yet another example of the risks involved with purchasing insurance for cyber-incidents. This blog has covered numerous cases involving disputes between insureds and their carriers after phishing attacks. These cases demonstrate that organizations need to look beyond the word “cyber” in a policy’s name to determine if the policy actually covers the organization’s risks. Organizations should make sure to work with a knowledgeable insurance agent when purchasing “cyber” insurance, or have knowledgeable legal counsel review existing policies for potential gaps in coverage. The town of Farmington, Connecticut will no doubt do so after its $2 million phish.
Categories: Commercial Litigation, Cybersecurity Law, John Lande, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.