After The Brick fell for a phishing scam, it lost over $224,000.00, and its insurer refused to cover the losses. (See The Brick Warehouse LP v Chubb Insurance Company of Canada, 2017 ABQB 413 (CanLII) (The Brick v. Chubb)).
In August 2010, someone called The Brick’s accounts payable (AP) department, pretending to be from Toshiba Canada. The caller said he was new to Toshiba and needed some payment details. The Brick employee faxed the payment information to the number which the caller provided.
A few days later the same person called with the same story. The same Brick employee asked him to write to The Brick’s lender to update the payment information to receive electronic payment notifications.
Then on August 20, 2010, a different Brick employee in the AP department received an email from the address [email protected], purportedly from Toshiba’s controller. The email claimed that Toshiba had changed banks, from the Bank of Montreal to the Royal Bank of Canada (RBC) and provided new banking information for all future payments to Toshiba.
On August 24, 2010, someone called The Brick’s AP department and asked the employee who had received the August 20, email to confirm that The Brick had updated the banking information.
After the call, the employee changed the banking information after following The Brick’s procedures for account updates. The procedures included review by another employee.
After the change, $338,322.22 which should have gone to Toshiba went to the RBC account.
On September 3, 2010, someone called The Brick, purporting to be from Sealy Canada’s AP department. The caller recycled the Toshiba story and gave the same RBC account number. The Brick’s accounting system rejected the duplicate account number. The scammer later explained that there was a confidential merger between Sealy Canada and Toshiba.
On September 10, 2010, a bona fide representative from Toshiba called The Brick to follow-up on outstanding payments. The Brick investigated and discovered that it had swallowed the bait.
The Brick later recovered all but $224,475.14 of the funds from the phoney RBC account, so it submitted a claim to Chubb Insurance Company of Canada (Chubb), for this amount.
Chubb denied coverage because it said The Brick’s crime policy did not cover the losses.
Why Chubb denied coverage
The Brick’s insurance policy defined funds transfer fraud as follows:
Funds transfer fraud means the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by an insured at such institution without an insured’s knowledge or consent [emphasis mine].
The Brick’s insurance policy also included an exclusion clause denying coverage if the organization knowingly surrenders funds to a third party, not in collusion with an employee.
For The Brick to access coverage under its policy, it had to show that the bank transferred the funds without The Brick’s knowledge or consent. Chubb and its affiliated companies successfully defended against similar claims from insureds in the United States. The judge in The Brick v Chubb agreed that the insurance policy did not cover The Brick’s losses.
The judge concluded that because the policy did not include definitions for the words knowledge or consent, they should be given their plain, ordinary and proper meaning that the average policyholder of ordinary intelligence, as well as the insurer, would attach to them.
Since consent means “permission for something to happen or agreement to do something” and a Brick employee had instructed RBC to process the transfer of funds, The Brick had, in fact, consented to the transfer.
The Lessons
- Training employees in internal controls and cybersecurity is essential. Provide employees with practical and simple but effective strategies. For example, train employees to identify suspicious emails. Phishing emails spoof or closely mimic legitimate email addresses and can be hard to spot (for instance, [email protected] versus [email protected]). However, sometimes, red flags are apparent. The Toshiba email address has a suspicious domain name. One would expect a Toshiba email address to have the “@toshiba” domain name instead of “@eml”. Another red flag is the “.cc” or country code top-level domain (ccTLD) name in the email address; this is the ccTLD name for the Cocos Keeling Island, an Australian territory. In the context of a request to re-route money, this ccTLD instead of a more commonly-used ccTLD like “.ca”, or generic top-level domain (gTLD) name like “.com”, should have prompted the AP department to investigate further.
- Always independently verify requests to change payment information. No one confirmed that the Toshiba request was bona fide. No one contacted Toshiba by phone, using the contact information which the AP department had on file. On September 3, when the accounting system rejected the duplicate bank account number, a Brick employee did attempt to verify the Toshiba instructions—but used the contact information in the phoney Naturally, the scammer verified its own scam. For similar reasons, employees should not hit the reply button to respond to questionable emails and should instead type in the bona fide email address or select it from their address book.
- Be sceptical. Even after taking the initial bait The Brick had the opportunity to end the scam 7 days before its eventual end on September 10. Given the sequence of events, the Sealy Canada call on September 3 should have triggered escalation and further investigations.
- Be on the look-out for duplicates. The Brick’s accounting system was able to identify and reject duplicate bank account numbers. If your accounting system does not have this capability, generate Excel reports or use other means to identify duplicate account numbers and investigate further. One variant of payroll or accounts payable frauds, especially when perpetrated by accounting personnel, involves depositing payments for several employees or vendors to a single bank account. Particularly in payroll, this is clear red flag because usually, employees do not share bank accounts.
- Suppliers should follow-up on outstanding payments. Toshiba’s timely follow-up on overdue invoices likely saved The Brick from further losses. Timely follow-up may also protect the innocent supplier from whom payment was re-directed. If the debtor organization suffers significant scamming losses, it may not recover and may become bankrupt or insolvent. If so, the innocent supplier may have no recourse but to absorb the losses.
- Read insurance policies carefully—they may not cover what you think they do. Cyber liability policies typically offer better coverage than a general liability or crime policy.
- Report scams to law enforcement. In the above case, the scam was part of a broader scheme involving someone in Winnipeg and Dubai. Report scams, to provide law enforcement with better intelligence to combat cyber crimes.
The Brick was relatively lucky. It could have been worse. One university recently lost almost $10M in a phishing scam. (See http://time.com/4924461/macewan-canadian-university-loses-10-million-email-phishing-scam/ and www.bbc.com/news/world-us-canada-41116177).
- Transferring risks through insurance - March 2, 2023
- Employee’s time theft revealed by electronic monitoring - February 2, 2023
- Petty cash controls - January 4, 2023
