- Google and Facebook paid out $23 million and $100 million respectively to a cybercriminal from Lithuania, who pleaded guilty to wire fraud in New York this week.
- The companies were scammed out of the payments by a technique known as business email compromise or invoice fraud.
- Unlike most companies and individuals who are victimized by this type of crime, the tech giants were able to recover the funds. Most aren't so lucky, and many companies take a massive hit or are forced out of business by this type of crime.
He did it using one of the most common and devastating cyberattacks: business email compromise, also known as invoice fraud. It's a type of fraud where a criminal poses as a vendor or business partner and convinces a company to wire huge sums of money to an offshore account as "payment" for services that were never rendered.
Representatives for Google and Facebook both said their respective companies recovered the stolen funds. That's rare. People who are defrauded out of their mortgage down payment, small businesses that mistakenly wire millions of their meager funds offshore, and even hedge funds without enough oversight have been hit much harder by business email compromise — sometimes so hard they go out of business.
Here's why the type of common fraud that struck Google and Facebook is actually the biggest problem in cybersecurity, and how to avoid it.
Most cyber attacks cause reputational or competitive harm. A company might see client details, customer social security numbers or secret business plans exposed on the internet. That can be painful, but usually doesn't cause immediate financial harm.
Invoice fraud results in an immediate financial loss. And it's on the rise.
According to the FBI, the amount of money that scammers attempted to steal through business e-mail compromise grew 136% between December 2016 and May 2018. Overall, e-mail scammers targeted more than $12 billion worldwide between October 2013 and May 2018.
In a typical invoice fraud, hackers take over or convincingly spoof the email address of a known business partner, like an attorney or vendor. The criminal may carefully monitor the usual interactions and payment processes between the business and the other party. Then, the criminal sends a convincing invoice or asks for a wire transfer for services rendered. Often, the business's accounting office doesn't realize it's fraud and releases the funds.
That was the case with one owner of a small accounting firm in Brooklyn, New York, who wished to remain anonymous. In 2016 and 2017, an administrative assistant received several emails from an email address that appeared to belong to a business partner requesting payment for legal services, with wire addresses at legitimate banks. The assistant was in charge of releasing funds for routine invoices and complied. The scam cost the firm nearly $700,000 in one year — about half his average yearly revenue.
The owner says wasn't able to recover the money because he had willingly sent the funds, and banks typically don't make customers whole for this type of fraud. He contemplated declaring bankruptcy, but instead tightened his belt and carried on.
"I just ate it instead," he said. "And basically stopped doing any business over the email."
The accountant's experience is typical.
Invoice fraud has become so common that when denim company Diesel Jeans filed for bankruptcy earlier this month, the company cited invoice fraud for contributing significantly to its financial woes. Prior to that, scammers successfully impersonated Mattel's CEO in a series of email compromise scams that led to $3 million in losses for the company.
In 2017, a commodities trading firm called Tillage Commodities LLC, based in Connecticut, lost 64 percent of its total capital to business email compromise over the course of just 21 days. The company was later fined $150,000 by the Commodity Futures Trading Commission for failing to supervise its funds.
In Google and Facebook's cases, a Lithuanian national named Evaldas Rimasauskas -- who pleaded guilty to wire fraud on March 20 -- spent two years posing as a third party who conducted business with the two companies. The fraud was highly involved, and the tech giants' money took a round-the-world trip to be laundered before ending up in Rimasauskas's hands.
Google and Facebook wired funds to Rimasauskas' "bank accounts in Latvia and Cyprus," who then, "quickly wired [the funds] into different bank accounts in various locations throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong," according to the Justice Department.
Rimasauskas "forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of [Google and Facebook], and which bore false corporate stamps embossed with [their] names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer."
Google lost around $23 million in the scam, while Facebook was out $100 million.
"Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation," a Facebook spokesperson said.
According to a Google spokesperson, "We detected this fraud and promptly alerted the authorities. We recouped the funds and we're pleased this matter is resolved."
Neither company explained to CNBC how they were able to recover the stolen funds. In most cases, they're lost forever.
Companies of any size, and individuals who may be about to make a large financial transaction -- like a home payment -- can take some practical steps to avoid this type of fraud, according to the FBI and Department of Homeland Security.
- Inform employees of how this type of fraud works and how they should handle invoices. They should be especially alert when the terms of payment suddenly change or a vendor asks for funds to be sent to a different bank account than usual.
- Consider requiring two parties to sign off on all payment transfers, rather than leaving authority in one person's hands.
- Talk to your bank about creating special protocols, like voice verification, into the wire transfer process.
- Companies who think they may be a victim should immediately call the originating bank and request a wire recall, and preserve all messages and other evidence associated with the incident.
- Victims can file a complaint at https://www.ic3.gov to protect others.