Previously, in Cover to Cover | Issue 31, we have reported on the various types of insurance claims that may arise from events of cyber fraud. To recap, there are four major categories:

Cyber insurance

This is the most obvious cover, as it is specifically intended to cover losses resulting from malicious cyber-attacks. However, some cyber policies do not provide cover for losses stemming from non-malicious outages, or actions by authorised users such as misdirected payments – a key source of cyber fraud loss.

Professional indemnity insurance

While professional indemnity insurance is increasingly subject to cyber exclusions or limits, particularly in the London market, where it is not, it provides useful cover for liabilities to customers or other third parties resulting from negligence or another breach of professional duty resulting from a cyber event that could have been avoided.

Fidelity or crime insurance

This cover generally protects policyholders from losses due to dishonest acts such as fraud or theft. Some policies may extend protection to losses resulting from cyber-fraud perpetuated by employees or third parties. However, this cover also often falls short of protecting against losses originating from non-malicious cyber failures.

Statutory liability insurance

This cover can be relevant if a policyholder is found to be in breach of regulatory obligations, such as privacy laws, as a result of a system outage or data loss from a security breach. Statutory liability insurance can help cover legal costs and penalties associated with a breach.

Cyber events can therefore result in a complex web of insurance claims. A single cyber event, such as a breach of an email system that enables a fraudster to instruct an insured’s employees to misdirect payments of customer funds to a fraudster’s account, can result in:

• A cyber insurance claim for the costs of the IT work required to identify and remedy the breach (and possibly for the liability to the customer for their funds, but that liability is often excluded or heavily sublimited).

• A professional indemnity insurance claim for the liability to the customer for the loss of their funds and possibly consequential losses.

• A fidelity or crime insurance claim, depending on who the perpetrator was.

• A statutory liability claim if the payment resulted in a regulatory breach by the company.

Insurers have an obvious interest in following developments in cyber-crime, because they need to understand the developing risks and costs of cyber attacks of all types with a view to their future claims exposure. Insurers have increasingly moved to introduce exclusions and sublimits to control their exposure to cyber risk.

A recent decision of the High Court of England and Wales, Logix Aero Ireland Limited v Siam Aero Repair Company Limited [2025] EWHC 1283 (KB), is a useful update and reminder of cyber risks and losses that are increasingly occurring, which result in disputes and claims that affect insurers. This is an example of a fraudulent misdirected payment scheme, which are some of the most costly and damaging types of cyber frauds.

Misdirected payments

In this case, the parties negotiated the sale and purchase of two aircraft engines by email, only to find that a fraudster had inserted themselves into their email correspondence and caused the payment of the purchase price to be misdirected.

The parties signed Letters of Intent (LOIs) in relation to the sale and purchase of aircraft engines which were, in part, conditional on their executing sale and purchase agreements (SPAs). The SPAs were negotiated via email. Emails from Logix (the buyer) were sent from a “@logic. aero.com” domain, while emails from Siam (the seller) were sent from a “@siam-aero. com” domain. Once negotiations were well under way, however, a third-party fraudster inserted itself into the email correspondence by setting up similar fake domains under “@logic.aero.co” and “@siam-aero.co”.

Using these fake domains, the fraudster interposed themselves into the parties’ emails at crucial points of the negotiations, including correspondence concerning updated versions of the LOIs and the terms of the SPAs. The fraudster cleverly copied in the genuine email addresses of all recipient parties but substituted the email addresses of all sender parties with those of the fake domains, making it difficult to identify that the manipulated email correspondence was not genuine. The flow of emails was, in short, Logix > the fraudster > Siam and vice versa. All communications therefore went via the fraudster, without the knowledge of either party. Through this sophisticated setup, Logix and Siam believed that they were dealing directly with one another.

During this process, the fraudster intercepted correspondence containing an updated draft of the SPAs, substituted Siam’s bank account details for its own, and sent the altered versions of the SPAs to Logix. Logix, having no reason to suspect fraud up to this point, then following the payment instructions in the amended SPAs and unknowingly deposited its payment into the fraudster’s bank account. This meant that while Logix had paid, Siam had not received the purchase price.

An unusual feature of this fraud was that the parties never signed the same SPAs. The fraudster ensured that the SPA that Siam saw and signed had the correct bank details – it was only Logix that saw and signed the version with the fraudster’s account details. This made it difficult for Logix to argue that it had paid the purchase price in accordance with the terms of the SPAs, although it did claim that it had paid the purchase price.

It never became clear how the fraudster had become aware of the transaction. Neither of the parties’ IT systems showed any sign of being compromised.

Logix’s case

Once the parties discovered the fraud, Logix made a claim against Siam, seeking declaratory relief, damages and/or delivery up of the engines. Siam, naturally, had declined to do so until it was paid. In particular:

• Logix sought declarations from the Court that the two engines were its property and that it had paid the contract price for them. It sought delivery of the engine

• The claim also referred to a confidentiality clause in the LOIs and alleged that it was within the parties’ contemplation that disclosure of confidential details of the sale process to a third party might allow a fraudster to divert payment to itself, and that this clause was breached when Siam unwittingly provided confidential information to the fraudster. Logix claimed, in the alternative, that Siam placed the fraudster in a position which carried with it the usual authority to negotiate and execute the SPAs on its behalf, such that the fraudster had apparent authority to do so. On this basis, Logix claimed that Siam was bound by the terms of the SPAs that Logix had signed with the fraudster’s account details, albeit Siam had never seen those SPAs.

Siam applied to strike out Logix’s claim and sought defendant summary judgment in the alternative. The Court granted Siam’s application for strike out. This was on the basis that:

• Logix’s argument that a binding SPA was entered into was dependent upon the proposition that the fraudster acted with Siam’s apparent authority. However, the Court was satisfied that Siam did not make any representations that another party was authorised to act on its behalf. Logix believed it was corresponding with Siam, not an agent, and enabling an agent to commit fraud does not give rise to apparent authority even if negligence was involved. The concept of apparent authority does not apply to imposters.

• The Court considered the pleaded confidentiality claim to be “highly artificial”, with no realistic prospect of success. The fraudster caused Logix’s loss, not the disclosure of confidential information.

• Logix also claimed that Siam owed a duty of care, arising under an implied term of the LOIs or in tort, to take reasonable precautions for the security of its computer and email systems. The Court referred to this claim in the judgment but did not address it separately in its reasoning, instead addressing it along with the claim for breach of confidentiality. The claim would not have succeeded separately in any event because there was no evidence that Siam had failed to take reasonable care.

The Court therefore ordered Logix's claims to be struck out. 

The Court also passed comment upon Logix’s original claim, which it later abandoned, that Siam was involved in the fraud itself, and had obtained preliminary seizure orders over the engines for a time. Unfortunately, Logix had overstepped the mark by implying that Siam had been involved in the fraud, as there was no evidence of this. While Logix did not accept that it had accused Siam of fraud in its own capacity, the Court expressed a view that its original claim was objectionable because there was no proper basis to plead fraud.

With no claim against Siam, and with the funds having disappeared from the fraudster's bank account, Logix was left without recourse for the losses that it suffered as a result of its misdirected payment. 

Our view

This decision provides some reassurance to insurers that claims arising from fraudulent misdirected payments, that could potentially come within either cyber policies or professional indemnity policies, are likely to face challenges where it is unclear – as it often is – how the fraudster gained access to the information that enabled them to impersonate one or both parties. Indeed, attempts by the defrauded party to blame the other party may result in heavy criticism by the Court.

The case is also a useful reminder of the importance of vigilance and robust verification processes when entering into agreements using email or other online communications, and, critically, when making payments to third parties.

Insurers may wish to examine in more detail processes that insureds have in place to protect against impersonation fraud where this is more sophisticated than the usual form in which a fraudster sends an email requesting a payment is made to a different bank account. Insurers may wish to consider whether insureds have adequate processes in place for the:

• signature of contracts, to take place using a secure third-party e-signature service with advanced identity verification processes, to ensure that all signatories have been thoroughly verified before proceeding to payment; and

• two-step verification for payments, even where the account details are contained within an agreement.

This article was co-authored by Raksha Tiwari, a Solicitor from our Litigation team.