How could Google and Facebook, two of the largest tech companies in the world, fall victim to an elaborate email phishing scam where their own employees wired over $100 million directly to cybercriminals?

It started half a world away when Evaldas Rimasauskas, a man from Lithuania, and his ring of unnamed cybercriminals created a fake company, Quanta Computer, in Latvia. This fake company was created to impersonate a legitimate business called Quanta Computer, a hardware manufacturer, based out of Taiwan that is a large supplier for both Google and Facebook.

Rimasauskas and his co-conspirators created fake emails, fake invoices, fake contracts, fake corporate seals and impersonated employees from the legitimate Quanta Computer. These cybercriminals corresponded with unsuspecting employees of Google and Facebook with the goal of getting them to pay fake invoices via wire transfer.  Google and Facebook employees fell for the scheme and wired money directly to Rimasauskas and his organization, who then laundered the money in banks throughout the world.

In 2013, Google employees wired about $23 million to Rimasauskas and his organization and Facebook employees also wired them about $98 million in 2015.  Eventually, Google, Facebook, and law enforcement officials caught onto the scheme. In 2017, Rimasauskas was extradited to New York where he pleaded guilty to one count of wire fraud and forfeited $49.7 million. His sentencing is on July 24, 2019 and he faces up to 30 years in prison.

Why are we only hearing about this case now?

We are only now learning the details of this international tech-finance scandal because an indictment was released last week by the U.S. Attorney for the Southern District of New York.

US Attorney Geoffrey Berman released the following in a statement about the incident:

“As Evaldas Rimasauskas admitted today, he devised a blatant scheme to fleece U.S. companies out of $100 million, and then siphoned those funds to bank accounts around the globe. Rimasauskas thought he could hide behind a computer screen halfway across the world while he conducted this fraudulent scheme, but as he learned, the arms of American justice are long, and he now faces significant time in U.S. prison.”

Both Google and Facebook have recovered an undisclosed portion of the fraudulently transferred money and without Rimasauskas, his ring of cybercriminals, and their fake company there won’t be any more victims of this cyber scheme.

Email Phishing Is On The Rise

The FBI’s Internet Crime Complaint Center recently issued an advisory warning that email phishing (what they call Business Email Compromise) is up by 1,300 percent since 2015. They estimate that companies have lost $3 billion from similar cybercrimes in recent years.

In fact, a recent report titled Enterprise Phishing Susceptibility and Resiliency Report compiled by PhishMe stated that over 90% of the time, phishing emails are behind successful cyberattacks. The PhishMe company has sent over 40 million simulated phishing emails to about 1,000 different organizations. One pattern they observed from these phishing email tests is that many people took the bait of the fake email despite having completed cybersecurity awareness training!

Why do people keep falling victim to email phishing attacks?

Here are some of the main reasons that people will fall victim to an email cyberattack.

  • Personalized emails – Spear phishing is when a cybercriminal uses personal details in an attempt to trick the recipient into believing the sender is a real person with whom they have a real connection
  • Playing on emotions – The cybercriminals create a sense of urgency and fear that if you don’t take action, something bad will happen. Download a file, go to a website to enter your credentials, send a password, or wire some money are all “solutions” for the fake problems created by the cybercriminals.
  • Email from a credible source – An email from a CEO, your most important clients, or an executive of your company (using their real email signature) will have you jump to action – but that is exactly what the cybercriminals want you to think!

Bottom line…

It’s time to take email phishing seriously as a threat against your business. You may think that cybercriminals only want to go after the “big guys” like Google and Facebook, but in reality, over 50% of all cyberattacks are aimed at small and medium businesses.

Large corporations like Google and Facebook have entire teams solely dedicated to cybersecurity compared to most small and medium businesses that don’t have a cybersecurity expert on hand, let alone a dedicated IT person with a decent amount of cybersecurity knowledge. This means that small and medium businesses are even more vulnerable than larger companies to cyberattacks.

Preventing Your Employees From Falling Victim To Cyberattacks

Right now, both Google and Facebook have teams of dedicated cybersecurity forensic analysts working to determine exactly how and why their employees mistakenly transferred millions of dollars to a fake company. The findings of these experts will most likely be a broad range of recommendations to implement including additional cybersecurity training for all employees.

As a St. Louis IT company, we offer all of our clients web-based cybersecurity training courses as part of our cybersecurity protection strategy. While this offers a very good overview of the many methods that cyberattackers use to try to infiltrate an organization, we’ve found that a real-life lesson makes a much bigger impact for each individual. We now have the capability to send out simulated phishing emails to entire organizations to test whether individuals will fall victim to a malicious email or whether the individuals will be able to identify a potential threat.

Unfortunately, every business is equally vulnerable to its employees falling for a scam similar to the one suffered by Google and Facebook. A single person’s poor judgement can easily circumvent all of the cybersecurity protections painstakingly put in place by an IT support team. So, be aware of the risks and take action today to protect your business and educate and test your entire team!

Get your FREE Email Phishing Test TODAY!!! Fill out the form on the right, or give us a call at (314) 432-1661 (MO) or (618) 346-8324 (IL).