Many businesses have been hoodwinked by hackers who forge new payment instructions and email them to customers for payment. The customer pays the hacker's account, the hacker takes the money, and the seller is out of pocket for the loss unless the parties settle; there is very little case law about whether and how such losses should be shared. If a customer does not check the payment instructions and verify them by a second (non-email) method, the losses can be large.
In a twist on those facts, a company in Pennsylvania lost $1.4M dollars when its bank distributed funds from its account on the basis of fraudulent wire transfer instructions bearing the forged signature of a company officer. The insurer refused coverage, saying the policy only applies to forged checks and other instruments. The insured did not carry "funds transfer fraud" coverage. A court this week ruled in favor of the insurer.
The moral of the story: ask your insurer what your crime, fraud, and cyber coverage actually cover, and talk with your employees about payment and disbursement authorizations. The scenario of a "business email compromise" whereby a hacker impersonates or infiltrates the email account of a seller's accounts payable personnel is new. The actual forging of an officer signature and sending it to a bank is more sophisticated, and potentially much more costly. Either way, be sure you understand your coverage -- and be sure to instruct your company personnel not to make payment changes on the basis of unverified written/emailed instructions.