A Lithuanian man admitted today to defrauding Google and Facebook out of $123 million by using fake invoices to trick employees into wiring money to his bank accounts.
The man, Evaldas Rimasauskas, 50, pleaded guilty today in a New York court and now faces a sentence of up to 30 years in prison for his crimes.
US officials said Rimasauskas operated by using a company he set up that employed a name similar to Quanta, a reputable provider of data center hardware products.
He targeted Google and Facebook because both companies run their own data centers and were known to have had business relations with Quanta.
According to court documents, Rimasauskas operated by sending emails made to look like they were coming from Quanta to both Google and Facebook, and demanding payment for alleged services and products.
He used fake invoices, contracts, and letters that fooled Google and Facebook employees into sending requested payments to the bank accounts provided by Rimasauskas, located at banks in Latvia and Cyprus.
US authorities said that as soon as the suspect received payments in these bank accounts, they were immediately transferred to other banks in Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong, at accounts controlled by Rimasauskas.
Rimasauskas ran the scheme for three years between 2013 and 2015, allegedly defrauding Google out of $23 million and Facebook out of $100 million.
The scheme was novel at the time, but is now well known and referred to as whaling, BEC (Bussiness Email Compromise) scam, or CEO fraud.
The FBI's Internet Crime Complaint Center (IC3) issued an alert in July 2018 warning that BEC scammers had defrauded companies around the world of over $12 billion since October 2013.
Besides Google and Facebook, other companies also lost huge sums of money in BEC scams. Previous incidents have been reported at FACC, an Austrian manufacturer of airplane parts, which lost $56.79 million; Leoni, a German manufacturer of wires and electrical cables, which lost $45 million; Crelan, a Belgian bank, which lost $76 million; and Pathe, a French film production and distribution company, which lost $21 million.
Rimasauskas' sentencing hearing has been scheduled for July 29, this year.
Related malware and cybercrime coverage:
- Malicious Counter-Strike 1.6 servers used zero-days to infect users with malware
- New Mirai malware variant targets signage TVs and presentation systems
- Round 4: Hacker returns and puts 26Mil user records for sale on the Dark Web
- Aluminum producer switches to manual operations after ransomware infection
- '100 unique exploits and counting' for latest WinRAR security bug
- Dutch hacker who DDoSed the BBC and Yahoo News gets no jail time
- How the United Nations helps fight global cybercrime TechRepublic
- Google blocked 2.3 billion bad ads in 2018 CNET