Two tech companies who were victims of a $100 million payment scam have been revealed to be Facebook and Google.
According to an investigation by Fortune, Lithuanian Evaldas Rimasauskas allegedly forged email addresses, invoices, and corporate stamps in order to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business.
Over two years, he is alleged to have convinced accounting departments at the two tech companies to make transfers worth tens of millions of dollars. By the time the firms figured out what was going on, Rimasauskas had coaxed out over $100 million in payments, which he promptly stashed in bank accounts across Eastern Europe.
Spokespeople for Google and Facebook this week confirmed that they were the victims in question. Facebook claimed that it “recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation”, while a Google spokesperson said: “We detected this fraud against our vendor management team and promptly alerted the authorities. We recouped the funds and we're pleased this matter is resolved.”
Mark James, IT security specialist at ESET, said: “It’s a fact in today’s digital world that there is always someone trying to scam you. We fight it, we delete it, we even highlight it and use it to teach others what to look out for, but there is one thing humans are good at and that’s adapting. Most spam or phishing attacks end up a failure, but that’s the nature of these types of attacks they don’t all have to succeed.
“For us to be safe we have to detect or block 100% of those attempts but they only need to get one right. If someone puts their mind to doing something there is a good chance they will succeed, whether that’s education, business or foul deeds. The good thing about the latter is most of the time people get caught. This particular plan involved forging email addresses, invoices, and corporate stamps in order to trick some big companies into believing they are dealing with the ‘right’ company and handing over thousands, it just goes to prove that all companies large and small can be scammed.”
Lee Munson, security researcher at Comparitech, said: “Phishing or, more appropriately in this case ‘CEO Fraud’, poses a huge problem to organizations of all sizes. While technical controls have a small part to play in reducing the likelihood of such an attack being successful, it is staff awareness training that is key here.
“While current disclosure laws may not require the victims in this case to come clean about what happened - from a financial point of view - I certainly believe there is a public interest angle. Investors in technology firms have a right to know that the business is managing its systems and people in an effective way that minimises risks that can have a significant impact - and CEO Fraud is relatively easy to identify and avoid - especially in this case, where the scam was allowed to continue unchecked over a two-year period.”