His name is Evaldas Rimasauskas and he's a 50-year old man from Lithuania. Last Wednesday, he pled guilty to a phishing scam that fooled tech giants Google and Facebook into giving him millions over the course of two years.
You read that right. Even two of the largest and most successful tech companies in the world aren't above falling for a phishing scam.
Here's how he did it.
The Necessary Ingredients for a Phishing Scam
Every phishing attack requires at least 3 things in order to execute:
- A good target
- A spoofed identity
- An action for the target to take
What made this phishing attack against Google and Facebook effective was actually its ruthless simplicity.
Rimasauskas had to be careful. You can't just target a random employee inside a company like Facebook and expect to get through. Where this scammer found his ideal target was a common department for phishing attacks - accounting. They're used to getting emails from outside the org and they have access to company funds - target acquired.
Once he had the contact inside of accounting he wanted, he set about creating his phony identity.
Rimasauskas set up a fake company that had the same name as the real Taiwanese electronics manufacturer (Quanta Computer) that Facebook and Google have done business with for years.
He created phony corporate stamps, multiple company email addresses, and invoices that all appeared to be from the real Quanta Computer.
Then, over the course of two years, he went to work.
What's especially bold (or foolish) is that Rimasauskas targeted two companies (Google and Facebook) that are in the business of knowing who a person is - yet, incredibly, his scam worked.
Maybe these tech giants thought they were above a common phishing scam - turned out they were wrong. Cyber thieves don't discriminate. They look to expose the weak link at any company - large or small.
Rimasauskas sent carefully crafted emails to Google and Facebook's accounting department with forged contracts and attached invoices. He requested payments for hardware listed on phony bills and provided the "company's" bank account details (which were actually accounts he had set up in Cyprus and Latvia)
Next, he sent fake letters pretending to be from the real Quanta corporation's actual bank telling Google and Facebook employees where to send the money - which happened to be (you guessed it) his offshore accounts.
Did anyone at Google or Facebook ever question why Quanta's main bank suddenly wanted payments sent to different accounts? Apparently not, since Google paid Rimasauskas $23 million and Facebook gave him $98 million over 24 months!
For obvious reasons, Google and Facebook tried to keep their names out of the press on this. We only know about Rimasaukas because he was eventually caught, pled guilty and faces up to 9 years in prison for fraud. While around $50 million of the funds have been recovered, Google and Facebook have to ask their employees how this one man was allowed to hide behind his computer for years while duping two of the largest tech companies in the world.
It's a lesson to every business owner that even tech giants are fooled by phishing. You can never be too careful when dealing with corporate emails - especially one's that involve the exchange of funds.
Educating employees on cybersecurity is critical to avoid becoming another statistic. Google and Facebook could afford to lose millions to this man, other businesses would not have recovered from this blow.
Here at PTG, we're committed to helping businesses and organizations stay secure. It's why we developed a tool called "Phishing Line" that is included in all of our client's Outlook accounts.
It's a simple way of researching and reporting suspicious emails - without ever leaving your inbox. To find out more about how phishing line works, you can watch a short video here.