The $2 Million Phish

Dickinson, Mackaman, Tyler & Hagen, P.C.

Dickinson, Mackaman, Tyler & Hagen, P.C.

Earlier this year, the Tokyo fish market grabbed headlines when a blue fin tuna sold for a record $3 million. Less well publicized was a phish that reeled in $2 million for fraudsters from the city of Farmington, Connecticut in 2016.

News stories about cybersecurity incidents involving phishing are routine. However, just because phishing schemes are a well-known attack vector does not lessen the risk that organizations face from these schemes. The town of Farmington, Connecticut learned that lesson when city coffers lost over $2 million to fraudsters.

The scheme began like so many others covered by this blog. Fraudsters sent a key town employee emails disguised so they appeared to come from a vendor for an ongoing sewer project. Fraudsters convinced the employee to send electronic funds transfers worth $2,042,448 to fraudsters. The employee thought the funds were going to pay off the town’s real vendor. The town discovered the fraud when the real vendor inquired about its unpaid invoices. The town was only able to recover $891,386 from intermediary banks.

The town submitted a claim for over $1 million to its insurer under a computer and funds transfer fraud coverage clause. Argonaut, the insurance company, denied the claim. The town then filed a lawsuit against the carrier and its insurance agent. The town disputed the insurance company’s claim that the policy did not provide coverage, and argued that if the insurance company was right then the insurance agent should be liable for failing to inform the town about coverage limits.

On December 27, 2018, the Connecticut state court issued a preliminary ruling dismissing the town’s claim that the insurance agent owed the town a fiduciary duty. The court explained that simply because a professional possesses greater expertise in a particular area does not necessarily create a fiduciary duty. The insurance agent could, however, still be liable under the town’s negligence and breach of contract theories. Moreover, the insurance company could still be liable to cover the losses.

This case is yet another example of the risks involved with purchasing insurance for cyber-incidents. This blog has covered numerous cases involving disputes between insureds and their carriers after phishing attacks. These cases demonstrate that organizations need to look beyond the word “cyber” in a policy’s name to determine if the policy actually covers the organization’s risks. Organizations should make sure to work with a knowledgeable insurance agent when purchasing “cyber” insurance, or have knowledgeable legal counsel review existing policies for potential gaps in coverage. The town of Farmington, Connecticut will no doubt do so after its $2 million phish.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dickinson, Mackaman, Tyler & Hagen, P.C. | Attorney Advertising

Written by:

Dickinson, Mackaman, Tyler & Hagen, P.C.

Dickinson, Mackaman, Tyler & Hagen, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.