Digital security is a matter of personal responsibility, but for a determined and resourceful con artist, even the tightest of securities can be spoofed. Just ask Google and Facebook.

The two tech companies fell prey to a phishing scam that managed to steal over $100 million. A Lithuanian man was indicted for impersonating a company that did bogus business with two then-undisclosed companies, which turned out to be Facebook and Google.

'A Fraudulent Scheme'

In March, the U.S. Department of Justice charged a Lithuanian man named Evaldas Rimasauskas "for orchestrating a fraudulent business email compromise scheme that induced two U.S.-based internet companies." The identities of the two tech companies, Facebook and Google, were revealed in an exclusive report.

When the court decision came down, the identities of the companies were wrapped in mystery. However, the U.S. DOJ dropped some hints in its description of the victims in its official press release. One company (Victim-1) was described as a "multinational technology company, specializing in internet-related services and products, with headquarters in the United States."

The other company (Victim-2) was as "a multinational corporation providing online social media and networking services" also based in the United States. The report said that multiple sources identified the social media company as Facebook.

When reached for a comment, Facebook admitted that it was a party to the fraud case, having sought help to recover the money stolen from them.

"Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation," said Facebook in an email response.

Google, for its part, also acknowledged that it too fell victim to the phishing scam. The company admitted that it "detected this fraud against our vendor management team." The company immediately alerted the authorities.

The Scam

In 2013, Rimasauskas used an elaborate scheme that he ran for two years. He first spoofed the identity of an "Asian-based computer hardware manufacturer" that does regular business with Facebook and Google. This Asian company turned out to be Quanta Computer, a Taiwanese manufacturer.

Then he sent emails to "employees and agents of the victim companies," instructing them to transfer money to him as part of supposed business transactions. Quanta maintains bank accounts in Latvia and Cyprus, but instead of transferring to these accounts, he managed to divert it to his own bank accounts. The amount ballooned to over $100 million, which he stashed away in several accounts in countries such as Latvia, Cyprus, Slovakia, Lithuania, Hungary, as well as Hong Kong.

Moreover, according to the DOJ, Rimasauskas forged invoices, contracts, and letters that "falsely appeared to have been executed and signed by executives and agents" by the victim companies.

ⓒ 2021 All rights reserved. Do not reproduce without permission.