Facebook Vice President David Marcus is the face of the company's Libra digital currency, but the original driving force was a 26-year-old female corporate-development...Technologyread more
Amazon's new policy for account suspensions doesn't go far enough to protect sellers from potentially unfair and wrongful suspensions, merchants say.Technologyread more
There is no end in sight to the Boeing 737 Max grounding after two fatal crashes, prompting airlines to rethink their growth plans.Airlinesread more
After a year of flooding, Midwest farmers face a stifling heat wave that's spreading across the U.S.Weather & Natural Disastersread more
On Saturday, Disney's Marvel Studios announced its upcoming slate of superhero films during a panel at San Diego Comic-Con.Entertainmentread more
Moving lots of data to a public cloud over the internet can take months or years. CNBC got an inside look at how AWS transfers data to the cloud for its clients.Technologyread more
A quarter of the S&P 500 companies report earnings next week, and that could buffet the market as investors await the July Fed meeting.Market Insiderread more
Iran's Revolutionary Guard claims a British tanker it still holds, Stena Impero, failed to follow international maritime rules.World Newsread more
"It troubles me that the most important political office in the world is becoming the face of racism and exclusion," Kaeser said in a Twitter post.Politicsread more
Silver's rally could be losing its shine after the precious metal reached its year-to-date high, futures experts warn.Futures Nowread more
Some 40% of Americans would struggle to come up with even $400 to pay for an emergency expense. Just how are so many Americans so short on cash? Blame debt.Personal Financeread more
He did it using one of the most common and devastating cyberattacks: business email compromise, also known as invoice fraud. It's a type of fraud where a criminal poses as a vendor or business partner and convinces a company to wire huge sums of money to an offshore account as "payment" for services that were never rendered.
Representatives for Google and Facebook both said their respective companies recovered the stolen funds. That's rare. People who are defrauded out of their mortgage down payment, small businesses that mistakenly wire millions of their meager funds offshore, and even hedge funds without enough oversight have been hit much harder by business email compromise — sometimes so hard they go out of business.
Here's why the type of common fraud that struck Google and Facebook is actually the biggest problem in cybersecurity, and how to avoid it.
Most cyber attacks cause reputational or competitive harm. A company might see client details, customer social security numbers or secret business plans exposed on the internet. That can be painful, but usually doesn't cause immediate financial harm.
Invoice fraud results in an immediate financial loss. And it's on the rise.
According to the FBI, the amount of money that scammers attempted to steal through business e-mail compromise grew 136% between December 2016 and May 2018. Overall, e-mail scammers targeted more than $12 billion worldwide between October 2013 and May 2018.
In a typical invoice fraud, hackers take over or convincingly spoof the email address of a known business partner, like an attorney or vendor. The criminal may carefully monitor the usual interactions and payment processes between the business and the other party. Then, the criminal sends a convincing invoice or asks for a wire transfer for services rendered. Often, the business's accounting office doesn't realize it's fraud and releases the funds.
That was the case with one owner of a small accounting firm in Brooklyn, New York, who wished to remain anonymous. In 2016 and 2017, an administrative assistant received several emails from an email address that appeared to belong to a business partner requesting payment for legal services, with wire addresses at legitimate banks. The assistant was in charge of releasing funds for routine invoices and complied. The scam cost the firm nearly $700,000 in one year — about half his average yearly revenue.
The owner says wasn't able to recover the money because he had willingly sent the funds, and banks typically don't make customers whole for this type of fraud. He contemplated declaring bankruptcy, but instead tightened his belt and carried on.
"I just ate it instead," he said. "And basically stopped doing any business over the email."
The accountant's experience is typical.
Invoice fraud has become so common that when denim company Diesel Jeans filed for bankruptcy earlier this month, the company cited invoice fraud for contributing significantly to its financial woes. Prior to that, scammers successfully impersonated Mattel's CEO in a series of email compromise scams that led to $3 million in losses for the company.
In 2017, a commodities trading firm called Tillage Commodities LLC, based in Connecticut, lost 64 percent of its total capital to business email compromise over the course of just 21 days. The company was later fined $150,000 by the Commodity Futures Trading Commission for failing to supervise its funds.
In Google and Facebook's cases, a Lithuanian national named Evaldas Rimasauskas -- who pleaded guilty to wire fraud on March 20 -- spent two years posing as a third party who conducted business with the two companies. The fraud was highly involved, and the tech giants' money took a round-the-world trip to be laundered before ending up in Rimasauskas's hands.
Google and Facebook wired funds to Rimasauskas' "bank accounts in Latvia and Cyprus," who then, "quickly wired [the funds] into different bank accounts in various locations throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong," according to the Justice Department.
Rimasauskas "forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of [Google and Facebook], and which bore false corporate stamps embossed with [their] names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer."
Google lost around $23 million in the scam, while Facebook was out $100 million.
"Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation," a Facebook spokesperson said.
According to a Google spokesperson, "We detected this fraud and promptly alerted the authorities. We recouped the funds and we're pleased this matter is resolved."
Neither company explained to CNBC how they were able to recover the stolen funds. In most cases, they're lost forever.
Companies of any size, and individuals who may be about to make a large financial transaction -- like a home payment -- can take some practical steps to avoid this type of fraud, according to the FBI and Department of Homeland Security.