Even the most tech savvy companies in the world can fall for business email compromise.
A Lithuanian man has this week pleaded guilty to tricking Google and Facebook into transferring over $100 million into a bank account under his control after posing as a company that provided the internet giants with hardware for their data centers.
Fifty-year-old Evaldas Rimasauskas registered and incorporated a company in Latvia with the same name as Quanta Computer, a Taiwan-based electronics manufacturing giant that which been operating since the 1980s.
Knowing that Facebook and Google used Quanta’s technology in their data centers, Rimasauskas sent emails to the firms claiming to come from Quanta with forged invoices and fraudulent contracts.
All of the messages were designed to create the false impression that they had been sent by employees and agents of Quanta but had – of course – not been authorized or sent by them at all.
Through this subterfuge, Rimasauskas successfully managed to deceive the technology giants into wiring payments into bank accounts he had set up in the bogus company’s name in Cyprus and Latvia. Upon receipt, the funds would be quickly transferred into other bank accounts at various locations around the world including Latvia, Cyprus, Slovakia, Lithuania, Hungary and Hong Kong.
Rimasauskas was arrested by Lithuanian authorities in March 2017 and was extradited to the United States eight months later.
At the time of his arrest, Quanta confirmed it had been impersonated by the fraudster but said that it had suffered no financial harm itself.
In a statement issued at the time of Rimasauskas’s arrest, Quanta described the matter as “unfortunate.”
I’m not sure that Google and Facebook who lost $123 million through the scam would find “unfortunate” to be a satisfactory way to describe their being targeted in this way, but it is worth remembering that the real Quanta Computer was also an innocent party in this affair.
Rimasauskas, of Vilnius, Lithuania, admitted the offences in a New York Court on Wednesday and now faces up to 30 years in prison.
“As Evaldas Rimasauskas admitted today, he devised a blatant scheme to fleece U.S. companies out of $100 million, and then siphoned those funds to bank accounts around the globe,” said Manhattan U.S. Attorney Geoffrey S. Berman. “Rimasauskas thought he could hide behind a computer screen halfway across the world while he conducted his fraudulent scheme, but as he has learned, the arms of American justice are long, and he now faces significant time in a U.S. prison.”
Rimasauskas is scheduled to be sentenced on July 24, 2019.
Google and Facebook are just two of the many organizations in recent years to have been targeted by business email compromise (BEC) attacks.
BEC attacks can range from scammers pretending to be a company’s CEO ordering money be transferred to more sophisticated frauds where criminals spy upon communications to learn about a firm’s suppliers and contractors and try to fool finance departments into paying out large amounts of money. Recent research has even suggested that some online criminals are offering BEC-as-a-service, offering hacked business accounts for as little as $150.
In June 2016, the FBI reported that companies had been stung to the tune of US $3 billion as a result of business email compromise attacks. This figure has surely risen significantly as criminals have recognized just how much money can be made from these attacks.