Google and Facebook Lose $100 Million to Phishing Scammer

By - April 28, 2017
Views: 240

A December indictment by New York federal prosecutors did not name the two large IT companies that were hit for a total sum of $100 million in an online scam; they were simply named Victim 1 and 2 in the federal charges document.

The federal charging document stated that the first victim company was ‘a multinational technology company, specializing in internet-related services.’ The other company was ‘a multinational corporation providing online social media and networking services.’

The indictment also noted that both of the companies are in the US and both had done large, multi million dollar transactions with a computer hardware maker based in Asia.

However, a recent investigation by a media organization has discovered that the two companies were Google and Facebook.

Fortune magazine reported this week that a 40 year old Lithuanian by the name of Evaldas Rimasaukas allegedly was behind a plot to defraud both Facebook and Google of millions of dollars.

Fortune reported that that the Justice Department found that the man had faked email addresses, invoices and corporate stamps to impersonate the manufacturer in Asia with whom both companies did business regularly. The idea behind the plot was to get both companies to pay for computer supplies. It worked.

Over a two year period of time, the fraudster convinced Google and Facebook accounting departments to transfer tens of millions of dollars. By the time the companies had caught onto the scheme, they had made payments of more than $100 million. He took that money and put it in bank accounts in eastern Europe.

Police in Lithuania got a warrant and placed the man under arrest last month. According to US Attorney Joon H. Kim, this fraud case should be a warning to all companies that they can be targeted by cyber criminals for millions of dollars in losses. Such cyber attacks can occur even on the largest companies.

Rimasauskas is facing extradition from Lithuania and is denying the allegations. His attorney stated that his client will not be able to get a fair trial in the US.

The uncertainty about the case, the lawyer said, is growing because the FBI acted inappropriately when they interrogated Rimasaukas. The attorney says that the federal agents threatened him with decades in prison. He also said that some of his computers were transferred into law enforcement hands without the owner being present.

Agents allege that that Rimasauskas registered and incorporated a firm in Latvia with the same name as the hardware firm in Asia. Then, with email addresses that were made to look like they came from the company in Asia, he sent employees of Facebook and Google bills for goods and services.

The Taiwanese company Quanta Computer was the company in Asia that the scammer was impersonating.

Google and Facebook stated to Fortune that they were the companies that were targeted. Google stated that it had gotten the funds back, and Facebook also stated that it had gotten most of the funds back shortly after the alleged crime occurred.

The alleged crimes have raised questions about whether the firms should have reported the scam to their shareholders. Other than the initial loss of funds, concerns about internal controls over company funds are legitimate and could be a worry to people owning stock in the company.

Google and Facebook have not explained at this time why they did not report to their investors that the alleged crimes had occurred.

Google has only stated that it had detected that the fraud had occurred against the vendor and promptly reported the matter to the FBI. It also noted that the funds were recouped and it was glad that the matter was resolved.

Facebook simply stated that it had recovered most of the funds after the incident happened and it has been cooperating with law enforcement throughout the investigation.

Cyber security experts stated last month that sometimes staff at large companies think they are protected from cyber crime with various online security systems in place. They also may feel as if security is not part of their job description.

However, they note that real human beings are often best for detecting fraud.

There also have been cases where phishing attempts were made that were using senior staff hacked email accounts to convince other employees that there was a legitimate request to wire large sums of money.

They also note that phishing scams are getting ever more sophisticated and common. For example, CEO fraud occurs when the executives of a company are impersonated by scammers.

A fake request from a CEO for funds to be wired is usually very time sensitive and often will coincide with when business hours are done to make it hard to verify the request. These attacks may take advantage of events that have been publicly reported, such as a merger. In such cases, there could be some internal uncertainty and flux occurring that makes it easier for fraudsters to be seen as legitimate.