When Tech Giants, Facebook & Google, Fall Victim to a $100M Phishing Scam, Is Your Company at Risk?
Scams involving email phishing and fake suppliers can victimize even the most sophisticated, tech-savvy corporations. Between 2013-2015, employees at both Facebook and Google were tricked into sending money to fraudulent overseas bank accounts in a scheme hatched by a 40-something Lithuanian man named Evaldas Rimasauskas.
According to the U.S. Justice Department, he forged invoices, email addresses and corporate stamps in order to impersonate a large Taiwanese manufacturer, Quanta Computer, with whom the two firms regularly did business. Using phishing emails, he tricked company executives into paying for fictitious computer supplies. By the time the firms figured out what was going on, Rimasauskas had collected over $100 million in payments which he stashed in bank accounts in Latvia, Cyprus, Slovakia, Lithuania, Hungary and Hong Kong.
To obtain the transferred funds, he forged the signatures of Facebook and Google executives on invoices, contracts and letters that he submitted to banks.
Though Rimasauskas was indicted by the Justice Department, and both companies reported recouping a portion of the lost funds, such cyber crime attacks, labeled “Business Email Compromise” (BEC) by the FBI, more often leave companies in a wake of devastating financial loss, investigative and legal costs and damaged reputations. If such wire fraud is not discovered in time, funds may not be recovered, since criminals use laundering techniques and “money mules” worldwide to drain the money into other accounts that are difficult to trace.
BEC scams are continuing to grow and evolve, targeting not just large companies, but small and medium size organizations, as well as individuals in all 50 states and over 150 countries. Between December 2016 and May 2018, there was a 136% increase in identified global exposed losses2.
Based on IC3 and international law enforcement complaint data and financial filings between October 2013 - May 2018, Domestic and International exposed dollar loss totalled $12.5 Billion (actual & attempted loss).3
In the six month period, October 2017 - March 2018, Action Fraud, the UK’s national fraud and cyber crime reporting center, revealed that cyber crime victims lost £28 Million (approx. $37M USD).
The Real Estate sector has been heavily targeted by BEC schemes. Spoofed emails are sent or received on behalf of title companies, law firms, real estate agents, buyers and sellers, with instructions directing the recipient to change the payment type and/or payment location to a fraudulent account. The funds are directed to a domestic account or transferred to a secondary international account and rapidly depleted through cash or check withdrawals.
In the face of escalating and sophisticated wire fraud schemes perpetrated through professional email channels, a new category of coverage, known as “cyber insurance,” has arisen to counter the tremendous risk that enterprises face. The recent susceptibility of two of the largest tech companies to a multimillion dollar BEC scheme, suggests that the BEC threat is significant and will soon join the ranks of insured events covered routinely by companies as a cost of doing business.