Go Big or Stay Home

It is my belief that if you are planning a crime, you might as well go for the glory.  The jail time is the same whether you steal $50,000 or $50 million.

I’m not sure if this is the biggest phishing scam ever, but it is the biggest I’ve heard of.  A Lithuanian man named Evaldas Rimasaukas devised a scheme that extracted over $100 million from Google and Facebook.  He achieved this feat by setting up a shell corporation to impersonate a large Asian manufacturer that both of these tech giants did business with.  He created forged invoices, email addresses, and corporate stamps to further his scheme.

Rimasauskas allegedly registered and incorporated a company in Latvia that had the same name as the Taiwanese electronics manufacturer Quanta Computer. Then, using email addresses designed to appear as if they came from the Asian company, he sent employees of Google and Facebook bills for goods and services for over two years.  The money was deposited in several east European banks.

Lithuanian law enforcement, acting on a warrant, arrested Rimašaukasin in March, U.S. federal prosecutors said in a press release. He is facing extradition to the United States. Google said it had “recouped the funds” and Facebook said it had “recovered the bulk of the funds shortly after the incident.”

The take away here is that even mega-corporations like Facebook and Google can be tricked by a clever phishing campaign.  The cyber-criminals have upped their game, and are researching their intended victims thoroughly to develop scams that are very realistic and tough to detect.  Of course, Google and Facebook have the resources to recover from a loss like this.  If you own or manage a small business, someone has researched you company and may be perpetrating a fraud like this against your company.  Talk with your accounts payable personnel about this sort of scam, and make sure there are strong controls and checks on what is approved for payment.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.