Google and Facebook Victims of $100 Million Phishing Scam
More than a month after the U.S. Department of Justice charged a Lithuanian man in a $100 million phishing scam against two Internet companies, an investigation by Fortune has confirmed the victims' identities: Google and Facebook.
Between 2013 and 2015, the companies were reportedly fooled into wiring payments to accounts controlled by Evaldas Rimasauskas, 48, in the belief they were making payments to a legitimate supplier, Taiwan-based Quanta Computer Inc.
In its March 21 announcement of criminal charges against Rimasauskas, who was arrested and is being held in Lithuania, the Justice Department noted that "much" of the money stolen in the phishing scam had been recovered. However, it did not identify the two companies that had been scammed, describing them only as "a multinational technology company and a multinational online social media company." The announcement also did not name the Asian-based computer hardware manufacturer whose identity was impersonated.
'Pleased This Matter Is Resolved'
The mystery began unraveling after Reuters published an article on March 28 confirming that the Asian manufacturer was Taiwan-based Quanta Computer Inc. The article quoted a company spokesperson who acknowledged Quanta had been impersonated, but noted the company "did not suffer from any financial harm from this incident."
After speaking with a number of unnamed sources, including some "close to law enforcement," Fortune yesterday revealed the two tech firms that had been scammed were Google and Facebook. Both companies confirmed to Fortune that they had been fooled into approving illegitimate payments under the phishing scheme.
"Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation," a spokesperson told Fortune in an email. Google also acknowledged it had been a victim. "We detected this fraud against our vendor management team and promptly alerted the authorities," a spokesperson told Fortune. "We recouped the funds and we're pleased this matter is resolved."
Email Schemes Cost U.S. Biz $263M in 2015
According to the Justice Department's March announcement about the phishing scheme, Rimasauskas reportedly registered and incorporated a company (identified as "Company-2") in Latvia with the same name as an Asian hardware manufacturer, since revealed to be Quanta. He allegedly then sent phishing emails to employees at the two targeted tech companies seeking payment for goods and services that had been legitimately provided by the real manufacturers.
"Through these false and deceptive representations over the course of the scheme, Rimasauskas, the defendant, caused the Victim Companies to transfer a total of over $100,000,000 in U.S. currency from the Victim Companies' bank accounts to Company-2's bank accounts," the Justice Department said in March.
Rimasauskas is now facing extradition to the U.S. His attorney told Fortune he doesn't believe his client can receive a fair trial in the U.S. and believes his rights were infringed on because law enforcement authorities have not publicly identified the names of the alleged victim companies.
"A spokesperson for the U.S. Attorney's office in Manhattan confirmed Rimasauskas is in custody in Lithuania, but did not offer more details about the crime, or why the office chose not to identify the firms," Fortune reported. "Law enforcement sources say the Justice Department is likely to identify the tech firms once the extradition process -- which is expected to take months -- is over, and Rimasauskas faces a bail hearing in a U.S. court."
The U.S. Internet Crime Complaint Center received 7,838 complaints about business email compromise schemes in 2015, with reported losses exceeding $263 million, according to the FBI's most recent Internet Crime Report.