A Texas steel assembler inadvertently submitted $870,000 in two payments intended for a manufacturer to a bank account that was controlled by cyber crooks, who not only spoofed emails but also impersonated the manufacturer’s CFO in a phone call, a recent lawsuit revealed.
None of the funds were recovered.
The 2023 crime information was included in Rockdale, Texas-based Perry & Perry Builders’ breach-of-contract lawsuit in federal court in Waco, Texas, against Cowbell Cyber Inc, which had provided a cyber risk insurance policy. The erector requested an additional insurance claim payment of $250,000 over and above the $250,000 paid by the insurer.
A federal judge ruled in Cowbell’s favor on March 9 and dismissed the steel fabricator’s motion, potentially ending the lawsuit.
Perry & Perry had argued in its lawsuit that the payments, made just minutes apart, constituted two separate instances under the policy, each qualifying for a $250,000 limit. Cowbell claimed that the payments were a one-time occurrence and that $250,000 was the maximum total owed for any type of loss under the policy.
Both companies sought summary judgment on the issues before Judge Leon Schydlower, who ruled in Cowbell’s favor, stating that the policy language clearly established a sublimit of $250,000 for all instances within the policy’s term “for this type of ‘social engineering’ diversion of funds.”
The policy “limits what defendants must pay at $250,000 all of Perry’s cyber losses during the policy period, regardless of the number and value of each such loss,” Schydlower wrote in denying Perry’s motion.
Looking for quick answers on construction and engineering topics?
Try Ask ENR, our new intelligent AI search tool.
Ask ENR →
Cybercriminals have found a lot to like about busy construction offices and payment practices. Fraud schemes are sometimes classified as business email compromise and sometimes as social engineering.
The average loss from such email-based fund diversion fraud across all industries in 2024 is less than $175,000, NetDiligence research showed. But many are well above the average cost and claim payout limits set by insurers trying to limit their own risks.
In many of these policies, crucial sublimits, an amount less than the total policy limit tied to a specific peril or type of loss, are sometimes less than the loss.
In Perry & Perry Builders, the issue was whether there were separate payments and whether a cap on the total payment applied to both.
The ruling, made in response to motions for summary judgment by each of the parties to the lawsuit as a way to bring the matter to a conclusion without a long, drawn-out trial, appears to end the litigation.
Details of the fraud scheme are found in Perry & Perry Builders’ motion.
On December 19, 2023, a person claiming to be the CFO of manufacturer Alamo Structural Steel sent an email to Perry & Perry’s office manager. In the email, the alleged CFO of the Waco manufacturer informed Perry & Perry’s office manager that his company would no longer accept paper checks, requested electronic payments and provided bank information.
The office manager did not automatically transmit the funds. He called a phone number provided in the fraudulent emails to verify the information and spoke with one of the scammers, who posed as Alamo Steel’s chief financial officer, according to Perry & Perry Builders.
Funds were transmitted in separate payments for only a minute or so.
