Lithuanian Evaldas Rimasauskas has been sentenced in a Manhattan court to five years in jail for successfully defrauding two large US companies out of $122 million.
The frauds, which happened between 2013 and 2015, involved sending those companies fake invoices that appeared to come from a legitimate Taiwanese company, Quanta Computer Inc.
Not realising the payments were the sharp end of an elaborate invoice fraud executed using spoofed email addresses, the companies’ accounts departments paid up.
But the most arresting aspect of this fraud isn’t the large sums Rimasauskas stole but the companies he is reported to have conned – Facebook (to the tune of $99 million) and Google ($23 million).
Whaling
Rimasauskas was originally arrested in 2017 for what the FBI described then as Business Email Compromise (BEC) but which others might describe as a form of whaling (highly targeted phishing attacks on senior members of an organisation). The victims were identified only as ‘company 1’ and ‘company 2’.
Last March, he pleaded guilty to charges including fraud, identity theft, and several counts of money laundering, and still the victims remained anonymous.
Even during this month’s trial and sentencing, the names remained, officially at least, a matter of conjecture.
Luckily, we know Google and Facebook were the companies involved because both decided to come clean within weeks of Rimasauskas’s arrest after Reuters got hold of a Lithuanian court order.
Said Google in April 2017:
We detected this fraud against our vendor management team and promptly alerted the authorities. We recouped the funds and we’re pleased this matter is resolved.
Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation. We are confident that we have the proper controls in place to prevent such attacks in the future.
Both companies were obviously embarrassed by the incident but the fact it happened at all tells us something important about this kind of fraud – it can happen to any company, including the biggest, cleverest names one might assume would have numerous checks to counter fraud.
The FBI recently estimated that in the three years to July 2019 BEC and email account scams account for 166,000 incidents globally and an estimated $26 billion in losses.
As well as five years in jail – a modest term against the 20-year sentence that could have been handed down – Rimasauskas will serve an additional two years of supervised release, forfeit $49.7 million and pay restitution of $26.5 million.
Stay vigilant
Wire transfer fraud is just one of the ways that crooks attempt to part businesses from their money. To defend against email scams here are some tips for avoiding this kind of email threat:
- Revisit your outbound email filtering rules to prevent sensitive information from going out to inappropriate destinations.
- Require multiple approvals for overseas wire transfers.
- Have strict controls over changes in payment details or the creation of new accounts.
- Use strong passwords and consider two-factor authentication (2FA) to make it harder for crooks to gather intelligence from your network in the first place.
- Consider a “back to base” VPN for remote users so their online security is kept up, even on the road.
- Have your own central reporting system, in the manner of the US IC3, where staff can call in suspicious messages to prevent crooks trying different employees with the same scam until a weak spot is found.
- Think twice about publicly posting personnel information that could be abused in phishing attacks.