Facebook and Google employees fall for phishing scam, losing $100m to hacker

Employees from Facebook and Google were tricked into transferring $100m (£77.3m) in payments to a hacker's bank account overseas as part of a sophisticated email phishing scheme.

Evaldas Rimasauskas, 48, from Lithuania is alleged to have hacked into Facebook, Google and Taiwanese computer hardware parts supplier Quanta in order to figure out who was in the finance departments and in charge of issuing, authorising and paying invoices.

With this information, he then forged email addresses, invoices, corporate stamps and wire transfer request letters from banks to trick Google and Facebook employees into transferring payments for fake invoices to various bank accounts in Latvia and Cyprus that were opened in the name of Quanta.

Over two years from 2013 to 2015, Rimasauskas received $100m in payments before Facebook and Google separately realised what was going on. In the case of Facebook, an agreement with Quanta didn't actually exist at all.

Eventually Facebook contacted the FBI, and the Justice Department (DoJ) learned while investigating that Google was also being victimised by the same hacker. The federal indictment was sealed to keep the identities of the victim companies a secret, simply referring to the companies as "Company-1", "Company-2", "Victim-1" and "Victim-2" in the court documents.

Facebook and Google admit they were victims

Rimasauskas was arrested in mid-March in Lithuania and is currently fighting extradition to the US to stand trial for charges of wire fraud, money laundering and aggravated identity theft.

His lawyer has been arguing that he will not get a fair and impartial trial if extradited since the US Justice Department and the Lithuanian authorities have refused to name the two victim companies, and because of the behaviour of the FBI officers who interrogated him.

Quanta supplies hardware to many big US tech companies, from parts for the Apple Watch and Amazon's Kindle e-readers, to computer servers for Google. It publicly acknowledged in March that it was the innocent supplier listed in the indictment.

No one knew for sure whom the other two companies in the indictment were, but numerous sources told Fortune that the victims were Facebook and Google, and both tech firms have since admitted that they were victimised. Facebook says that it has recovered the bulk of the stolen funds, while Google managed to recoup all of its funds.

Companies need to warn their finance departments

High-profile email phishing scams have been on the rise – in March, German cable manufacturer Leoni AG admitted that it lost €40m ($44.7m, £33.7m) overnight after the CFO of one of its factories was tricked into transferring money into an unknown bank account.

In 2015, the US toy company Mattel was scammed out of $3m sent to a hacker's bank account in China, but fortunately it was a bank holiday when the transfer was made, so Chinese police in the province of Wenzhou and the bank in question were able to freeze the funds in time.

"From half a world away, Evaldas Rimasauskas allegedly targeted multinational internet companies and tricked their agents and employees into wiring over $100 million to overseas bank accounts under his control," Acting U.S. Attorney Joon H Kim said in March when the DoJ announced the arrest of Rimasauskas.

"This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cybercriminals. And this arrest should serve as a warning to all cyber criminals that we will work to track them down, wherever they are, to hold them accountable."