Last year, I published a blog on a social engineering cyber scheme that resulted in Quality Plus Services, Inc. losing $1,633,018.00 to fraudsters. QPS reported the loss to its insurance carrier, who denied the claim. QPS then filed a lawsuit against the carrier in Virginia Federal Court.
Recently, the parties filed competing motions asking the federal judge for a quick ruling on whether there is commercial crime coverage for the loss.
The Sequence of Events
Rather than analyze the legal arguments that parse the interpretation of insurance language; we should focus on QPS's description of events that reads like an international cyber crime novel.
Aaron Gay is the founder, President, and Operations Manager of QPS, an industrial construction company headquartered in Petersburg, Virginia with regional offices across the country. He has final approval for all QPS invoices and decides who has authority to handle wire transfers. Those with authority included QPS accounting personnel, Lynne Mann and Hannah Stalnaker.
Between December 19, 2017, and January 4, 2018, unknown parties impersonated Mr. Gay and sent five separate email instructions to Ms. Mann, demanding five separate immediate wire transfers totaling $1,633,018.
Of course, Mr. Gay did not send the emails and they didn't come from his email account. Four of these five emails were from aarong1@qpsisisbest.com. A subtle difference to Mr. Gay's real email address, aarong1@qpsisbest.com.
qpsISbest (right)
qpsISISbest (wrong)
Without a doubt, Ms. Mann had complete trust in the email and thought she was corresponding with Mr. Gay. Oblivious to the scheme, she initiated the wires with QPS's bank. Ms. Stalnaker approved four of the five transfers.
The first two fraudulent emails on December 19 and December 27 directed wire transfers to Banco Regional de Monterrey in Mexico for $92,000 and $97,384.
The three subsequent fraudulent emails on December 29, January 3, and January 4 provided wiring instructions for three different banks in Hong Kong for $372,018, $558,623 and $512,993.
(So now we have a sophisticated cyber scheme linked to Mexico and Hong Kong, with multiple bank accounts.)
QPS discovered the fraudulent transfers for the first time on the afternoon of January 4, 2018, and took immediate steps to recover the funds.
It's no surprise that QPS conducted an internal investigation and found no evidence that any QPS employee was knowingly involved in the fraud.
QPS reported the theft to the local police, the FBI and the U.S. Secret Service, and had meetings with the different law enforcement agencies.
Shortly after, QPS learned that the Hong Kong account connected with the January 3 wire transfer was successfully frozen with a balance remaining in the account. Unfortunately, there were other victims claiming rights to the same account.
(So, now we have multiple victims falling for the same scheme. Makes you wonder: Who and how much?)
QPS was forced to engage Hong Kong counsel and spent the remainder of 2018 litigating in Hong Kong courts over who is entitled to the funds. QPS was able to recover $411,304.69.
And, now, QPS is asking the insurance carrier to pay for the remaining loss.
Juicy But Common Facts
QPS tells a tale that is becoming all too common. Spoofed email accounts; unsuspecting employees; international bank accounts; law enforcement being notified after most of the money is unrecoverable; and an insurance company disputing coverage.
What is the lesson? I'll hold my opinion until after the Court renders a decision.
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP
Phishing emails and text messages may look like they're from a company you know or trust. They may look like they're from bulk mail tester a bank, a credit card company, a social networking site, an online payment website or app, or an online store.