Scammer pleads guilty to fleecing Facebook and Google of $121m

Large, worldly tech companies would never fall for a wire transfer invoice scam, would they?

The truth is that any company can fall prey if the fraud is convincing enough – as shown by the case of 50-year-old Lithuanian, Evaldas Rimasauskas, who this week pleaded guilty to conspiring with others to fleece $121 million (£93 million) out of industry giants Facebook and Google.

Arrested in Lithuania two years ago, Rimasauskas orchestrated a phishing campaign, according to US authorities between 2013 and 2015, in which employees of the two companies were emailed spoofed invoices that appeared to come from Taiwanese computer maker, Quanta Computer.

The scammers even went as far as registering a company in Latvia under the same name to make the funds request look more plausible, as well as forging invoices using fake embossed corporate stamps.

In total, payments of $23 million from Google and as much as $98 million from Facebook ended up in banks accounts in Latvia and Cyprus, from where they were wired to bank accounts in Slovakia, Lithuania, Hungary, and Hong Kong.

The very thing that might normally arouse suspicion – the size of the invoices – was on this occasion what made them seem normal to two large companies that did regular business with the Asian supplier.

Just as small-time phishing scams are designed for the sort of person they hope to defraud, larger ones adopt the same tactic, but reconfigure them to fool the invoice departments at big companies.

Company A and Company B

An intriguing aspect of the case is that the prosecutors have still not named the companies involved, even now referring to them as “US-based internet companies (the Victim Companies).”

The fact that Facebook and Google were involved emerged in the press in 2017 after Rimasauskas’s arrest, with both companies eventually confirming their involvement. Google later said it had recovered all the scammed funds while Facebook said it recovered “most” of the money.

When he’s sentenced in New York on July 24th on the charge of wire fraud, Rimasauskas faces up to 30 years in jail. Manhattan Attorney Geoffrey S. Berman said:

Rimasauskas thought he could hide behind a computer screen halfway across the world while he conducted his fraudulent scheme, but now faces significant time in a US prison.

Stay vigilant to email scams

Facebook and Google aren’t the only companies to fall victim to huge wire transfer scams.

Wire transfer fraud is just one of the ways that crooks attempt to part businesses from their money. To defend against email scams we offered some security tips for avoiding this kind of email threat:

• Revisit your outbound email filtering rules to prevent sensitive information from going out to inappropriate destinations.
• Require multiple approvals for overseas wire transfers.
• Have strict controls over changes in payment details or the creation of new accounts.
• Use strong passwords and consider two-factor authentication (2FA) to make it harder for crooks to gather intelligence from your network in the first place.
• Consider a “back to base” VPN for remote users so their online security is kept up, even on the road.
• Have your own “central reporting” system, in the manner of IC3, where staff can call in suspicious messages to prevent crooks trying different employees with the same scam until a weak spot is found.
• Think twice about publicly posting personnel information that could be abused in phishing attacks.

Published with permission from Sophos