The phishing swindle that conned $100 million out of Google and Facebook

Imagine this.

You work in the finance department of a large US-based company. You have a number of manufacturers and service providers based around the world who you regularly do business with. It’s not unusual for you to receive invoices from the companies for the services or goods that they have supplied to your firm.

If your company really has received those goods and services, you wouldn’t feel too bad reabout paying up, right? Well, perhaps you should be on your guard…

It is alleged that 48-year-old Evaldas Rimasauskas managed to trick Facebook and Google into wiring him over $100 million, after impersonating genuine Taiwanese electronics manufacturer Quanta Computer.

Details of the case had previously been released by the US Department of Justice, but without naming the names of the companies concerned.

However, hints were dropped as to who the victims might have been: a “multinational technology company, specializing in Internet-related services and products”, and “a multinational corporation providing online social media and networking services.”

Quanta acknowledged that it been the victim of impersonation by a fraudster in March, and now a new investigation by Fortune has revealed that companies targeted by the alleged fraud included Facebook and Google.

Rimasauskas allegedly registered and incorporated a company in the same name as Quanta Computer, and sent fraudulent emails to Facebook purporting to come from the legitimate Quanta Computer firm.

The phoney emails are said to have directed that Facebook owed the bogus Quanta under Rimasauskas’s control for legitimate goods and services that the real Quanta had provided, and that payment should be made to bank accounts run by the fraudster in Latvia and Cyprus rather than Quanta’s genuine bank accounts in Asia.

According to the US Department of Justice, Rimasauskas went to some effort to make his fraudulent activity look normal to Facebook:

“Forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the Victim Companies, and which bore false corporate stamps embossed with the Victim Companies’ names, were used in furtherance of the fraudulent scheme orchestrated by Evaldas Rimasauskas, the defendant. Rimasaukas caused these fraudulent documents to be submitted to banks in support of the large volume of funds that were being transmitted via wire transfer into the [Facebook] bank accounts.”

Rimasauskas is said to have continued to defraud his corporate victims between 2013 and October 2015.

Facebook says that it has managed to recover most of the money that it had lost:

“Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation.”

And Google confirmed (surprise surprise) that they were the other business that had been fallen victim of the audacious fraud:

“We detected this fraud against our vendor management team and promptly alerted the authorities. We recouped the funds and we’re pleased this matter is resolved.”

Rimasauskas has been charged with wire fraud, money laundering and aggravated identity theft.

This case, and the rise of CEO fraud (also known as business email compromise), act as a salutary warning to all businesses that criminals may be attempting to defraud tens of millions of dollars out of your bank accounts. Attacks don’t need to involve hacking vulnerabile servers or planting malware. Sometimes the mechanism an attacker will use will be facilitated by the tried-and-trusted tools of fraud, aided by insufficient processes and the anonymity of the internet.