A Travelers Cos. Inc. unit correctly paid a phishing claim under its crime policy’s social engineering fraud coverage and refused to pay under the policy’s computer fraud coverage, which offered much higher limits, a federal district court has ruled.

In March 2021 a still-unidentified bad actor emailed fraudulent invoices purportedly from a vendor to the purchasing manager of Eagen, Minnesota-based SJ Computers LLC instructing the company to make wire transfers to a bank account number that was different from the one the vendor had used in the past, according to Friday’s ruling by the U.S. District Court in Minneapolis in SJ Computers LLC v. Travelers Casualty and Surety Co. of America.

The bad actor then hacked into the purchasing manager’s email account and, impersonating him, forwarded the invoices to the company’s CEO for payment. 

The CEO left a message with the vendor, and after his call was not returned, approved payment, sending two wire transfers totaling $593,555.

After discovering the fraud, the company submitted a proof-of-loss statement seeking coverage under its crime policy’s social engineering coverage, which has single loss limit of $100,000, the ruling said. Travelers issued the company a $100,000 check, according to court documents.

Later, however, after apparently realizing it had up to a $1 million single loss limit under its computer fraud coverage, it revised its claim, seeking coverage under that provision, the ruling said.

After Travelers accepted coverage under the social engineering coverage but refused it under the computer fraud coverage, the company filed suit against the insurer, charging it with breach of contract and breach of duty of good faith and fair dealing.

The district court ruled in the insurer’s favor, describing the company’s arguments in favor of computer fraud coverage as ranging “from creative to desperate.”

“The policy clearly anticipates – and clearly addresses – precisely the situation that gave rise to SJ Computers’ loss, and the Policy bends over backwards to make clear that this situation involves social-engineering fraud, not computer fraud,” the ruling said.

The ruling adds that even if the company had been victimized by computer fraud, and met all the requirements of the computer-fraud insuring agreement, an exclusion that says the policy does not apply to losses resulting from “forged, altered or fraudulent” instructions would have precluded computer fraud coverage.

“SJ Computers desperately attempts to avoid this obvious conclusion and, for reasons that escape the Court, attempts to prolong a lawsuit that it is destined to lose,” the ruling said, in granting Travelers’ motion to dismiss the case.

Attorneys in the case did not respond to requests for comment.

In a comparable case, in July, the Illinois Department of Insurance filed suit against Hartford Financial Services Group Inc. and Munich Reinsurance Co. units in U.S. District Court in Chicago seeking recovery of $3.98 million stolen in a phishing scheme that targeted two auto insurers that are in receivership.

A status conference by telephone is set for Sept. 27 in that case.