Apache Corporation is an oil-production company based in Texas.Apache logoIn 2013, Apache was the victim of a Business Email Compromise (BEC). At the heart of the scheme was a spearphishing email that appeared to come from Apache’s vendor Petrofac Limited. Apache’s accounts-payable department received an email from “petrofacltd.com”. Unfortunately for Apache, Petrofac’s real domain is “pretrofac.com”. The criminals created “petrofacltd.com” to deceive Apache’s accounting personnel.

The deception worked and Apache paid $7 million according to the updated payment instructions received from “petrofacltd.com”. Unremarkably, the real Petrofac complained about not getting paid. An investigation was conducted which revealed the email fraud.

While some of the stolen money was recovered, $2.4 million was not recovered. Apache filed a claim for the  loss with its cyber insurance carrier, Great American Insurance Company.  On October 18, 2016, the United States Court of Appeals for the Fifth Circuit ruled that cyber insurance did not cover the email fraud. The Court found that the cyber insurance policy did not cover the Business Email Compromise loss because:

[T]he authorized transfer was made to the fraudulent account only because, after receiving the email, Apache failed to investigate accurately the new, but fraudulent, information provided to it.

No doubt, as the Court observed, Apache could have done a better job of investigating the new payment instructions. But Apache could have done something else — they could have used SP Guard to identify email from trusted business counterparts. With SP Guard the fake email address would have been seen as suspicious, helping unmask the deception.