A new decision from a Mississippi federal court highlights how subtle limitations in policy wording may restrict the types of fraudulent transactions covered by a social engineering insuring agreement. In Gore, Kilpatrick, & Dambrino, LLC v. Spinnaker Insurance Company, the insured was left without coverage when the U.S. District Court for the Northern District of Mississippi held that a cyber policy’s social engineering endorsement covered fraudulent payments only to an imposter posing as an existing client of a law firm, and not as someone with whom the policyholder had never done business.
The Fraudulent Client
On May 23, 2024, a man representing himself as David Casteel with Brooks Machinery, Inc. contacted the Mississippi law firm Gore, Kilpatrick, & Dambrino. This “Mr. Casteel” needed help collecting a $158,850 debt owed to Brooks Machinery by Mid-Delta Equipment, LLC. Gore and “Mr. Casteel” then entered a fee agreement for Gore to collect the debt. Unfortunately for Gore, however, “Mr. Casteel” was not the real David Casteel — he was an imposter. This imposter did not represent Brooks Machinery, and there was no $158,850 debt owed by Mid-Delta. The entire engagement — the client, the debtor, the debt itself — was a fabrication.
Two days after entering the fee agreement, Gore received a letter allegedly from Mid-Delta enclosing a check for the $158,850 “debt.” By phone and email, the imposter “Mr. Casteel” directed Gore to deduct its fees from the sum and wire the balance to him. Gore promptly did so, wiring $158,425 to the fraudster. The check, of course, then bounced.
An Insurance Gap Revealed
The law firm sought coverage under a Social Engineering Coverage Endorsement to its cyber policy, which provided coverage for incidents in which an imposter sends a fraudulent instruction “purporting to be from . . . a natural person or entity who exchanges, or is under contract to exchange goods or services” with the insured. The insurer denied coverage, arguing that for there to be coverage, the impostor must be posing as an existing client of the insured, rather than a new client.
The court sided with the insurer, reasoning that the real David Casteel “is not a person who exchanges or is under contract to exchange goods or services with Gore for a fee, because he is not and has never been Gore’s client.” That is, for coverage to apply, the imposter must be impersonating someone who already has a legitimate business relationship with the insured. Here, there was never a legitimate contract between Gore and the real David Casteel for the fraudster to impersonate. As the court held, “the instruction to transfer money cannot have been sent by an imposter purporting to be a client if the individual giving the instruction is the client” (emphasis in the original). In other words, the policy contemplated a three-party scenario: the insured, a real counterparty, and an imposter pretending to be that counterparty. Where the fraudster is the only “counterparty” who ever existed, there was no impersonation, and the endorsement did not apply.
Key Takeaways for Policyholders
- Social engineering endorsements may not cover fabricated relationships.
The Gore decision turns on a distinction that many policyholders may not have considered: the difference between a fraudster who impersonates an existing client or vendor and one who fabricates a new relationship entirely. Many social engineering endorsements — like the one at issue here — are written to cover only the former scenario. Enterprises that regularly onboard new clients or vendors are particularly exposed to this gap, because the very nature of their business requires them to bring in unfamiliar counterparties. - Not all social engineering endorsements are created equal.
Reasonable minds can disagree with the court’s reading of the endorsement in this case — and this blog does. But regardless of whether the decision was correct, it was avoidable. Social engineering endorsements are available in the market that lack the limiting “purporting to be from” language present in Gore’s policy. Policyholders should carefully review the specific definitional language in their endorsements. - Client vetting remains a critical safeguard.
The fraudsters in this case exploited one of the most routine aspects of a law firm’s operations: taking on a new client. Standard social engineering safeguards — multi-factor authentication, independent verification of payee information, and callback procedures using independently sourced contact information — are especially important when dealing with new and unverified counterparties.
Conclusion
The Gore decision shows how the precise language of social engineering insurance is crucial to the scope of coverage. This case underscores that social engineering coverage must be carefully vetted to ensure that policy definitions are broad enough to match a policyholder’s real-world exposures. Organizations that regularly bring in new clients or vendors are at particular risk of being defrauded by a new sham relationship — and thus falling within the coverage gap exposed by this decision.
Listen to this post here.
