Blackstone Executive Vice Chairman Tony James says he's less optimistic now than before that the U.S.-China trade war could be resolved, but even a smaller deal could help...World Economyread more
The massive market transformation this month that some on Wall Street called a "once in a decade opportunity" might have just been a one-off technical move because of taxes.Marketsread more
The Pentagon will deploy U.S. forces to the Middle East on the heels of the attack on Saudi Arabian oil facilities, United States Secretary of Defense Mark Esper announced...Defenseread more
CNBC did a deep dive through the most recent Wall Street research to find stocks that analysts say are underappreciated.Marketsread more
Shares of MasterCard are up 46% this year, and 1120% since 2011, getting a boost from the strong U.S. consumer.Investingread more
CNBC sat in on an "empathy training" at Amazon PillPack's Somerville offices, which is part of new hire orientation.Technologyread more
Trade with China is the 'big unknown' for the Federal Reserve as it decides how best to support the U.S. economy, says Council on Foreign Relations Director of International...Futures Nowread more
Lobbying experts said the visit is likely an attempt to be in lawmakers' ears as they consider legislation that would impact Facebook.Technologyread more
Yardeni Research's Edward Yardeni believes the U.S. economy is picking up steam.Trading Nationread more
Iran's audacious drone and cruise missile attack on Saudi Arabia's oil producing facilities has provided a critical test yet for the Trump administration's foreign policy. A...Politicsread more
He did it using one of the most common and devastating cyberattacks: business email compromise, also known as invoice fraud. It's a type of fraud where a criminal poses as a vendor or business partner and convinces a company to wire huge sums of money to an offshore account as "payment" for services that were never rendered.
Representatives for Google and Facebook both said their respective companies recovered the stolen funds. That's rare. People who are defrauded out of their mortgage down payment, small businesses that mistakenly wire millions of their meager funds offshore, and even hedge funds without enough oversight have been hit much harder by business email compromise — sometimes so hard they go out of business.
Here's why the type of common fraud that struck Google and Facebook is actually the biggest problem in cybersecurity, and how to avoid it.
Most cyber attacks cause reputational or competitive harm. A company might see client details, customer social security numbers or secret business plans exposed on the internet. That can be painful, but usually doesn't cause immediate financial harm.
Invoice fraud results in an immediate financial loss. And it's on the rise.
According to the FBI, the amount of money that scammers attempted to steal through business e-mail compromise grew 136% between December 2016 and May 2018. Overall, e-mail scammers targeted more than $12 billion worldwide between October 2013 and May 2018.
In a typical invoice fraud, hackers take over or convincingly spoof the email address of a known business partner, like an attorney or vendor. The criminal may carefully monitor the usual interactions and payment processes between the business and the other party. Then, the criminal sends a convincing invoice or asks for a wire transfer for services rendered. Often, the business's accounting office doesn't realize it's fraud and releases the funds.
That was the case with one owner of a small accounting firm in Brooklyn, New York, who wished to remain anonymous. In 2016 and 2017, an administrative assistant received several emails from an email address that appeared to belong to a business partner requesting payment for legal services, with wire addresses at legitimate banks. The assistant was in charge of releasing funds for routine invoices and complied. The scam cost the firm nearly $700,000 in one year — about half his average yearly revenue.
The owner says wasn't able to recover the money because he had willingly sent the funds, and banks typically don't make customers whole for this type of fraud. He contemplated declaring bankruptcy, but instead tightened his belt and carried on.
"I just ate it instead," he said. "And basically stopped doing any business over the email."
The accountant's experience is typical.
Invoice fraud has become so common that when denim company Diesel Jeans filed for bankruptcy earlier this month, the company cited invoice fraud for contributing significantly to its financial woes. Prior to that, scammers successfully impersonated Mattel's CEO in a series of email compromise scams that led to $3 million in losses for the company.
In 2017, a commodities trading firm called Tillage Commodities LLC, based in Connecticut, lost 64 percent of its total capital to business email compromise over the course of just 21 days. The company was later fined $150,000 by the Commodity Futures Trading Commission for failing to supervise its funds.
In Google and Facebook's cases, a Lithuanian national named Evaldas Rimasauskas -- who pleaded guilty to wire fraud on March 20 -- spent two years posing as a third party who conducted business with the two companies. The fraud was highly involved, and the tech giants' money took a round-the-world trip to be laundered before ending up in Rimasauskas's hands.
Google and Facebook wired funds to Rimasauskas' "bank accounts in Latvia and Cyprus," who then, "quickly wired [the funds] into different bank accounts in various locations throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong," according to the Justice Department.
Rimasauskas "forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of [Google and Facebook], and which bore false corporate stamps embossed with [their] names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer."
Google lost around $23 million in the scam, while Facebook was out $100 million.
"Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation," a Facebook spokesperson said.
According to a Google spokesperson, "We detected this fraud and promptly alerted the authorities. We recouped the funds and we're pleased this matter is resolved."
Neither company explained to CNBC how they were able to recover the stolen funds. In most cases, they're lost forever.
Companies of any size, and individuals who may be about to make a large financial transaction -- like a home payment -- can take some practical steps to avoid this type of fraud, according to the FBI and Department of Homeland Security.