It's easier to con someone than to take whatever you want from them with brute force. That's why phishing scams, which rely on trickery instead of technical skill, can be so effective. Convincing someone at Google to pay you tens of millions of dollars is relatively easy compared to compromising the systems used to handle that money. And that's how someone managed to bilk roughly $100 million from Google and Facebook via email fraud.
This scheme was first revealed in March when the Justice Department said that someone impersonating an "Asian-based manufacturer of computer hardware" managed to steal from a "multinational technology company, specializing in Internet-related services and products" and "a multinational corporation providing online social media and networking services" between 2013 and 2015. Quanta Computer, a Taiwanese manufacturer, said in March that it was the "Asian-based manufacturer of computer hardware" to which the Justice Department referred in its indictment.
Fortune revealed today that Google and Facebook were the other companies affected by the scam. Google confirmed this finding in a statement to Tom's Hardware. "We detected this fraud against our vendor management team and promptly alerted the authorities," a spokesperson said. "We recouped the funds and we're pleased this matter is resolved." Facebook has not responded to a request for comment. The saga highlights a basic truth: Even some of the world's largest tech companies are vulnerable to phishing based on falsified emails, documents, and other materials.
Here's how the scheme was described in the Justice Department's indictment:
[Evaldas Rimasauskas] registered and incorporated a company in Latvia (“Company-2”) which bore the same name as an Asian-based computer hardware manufacturer (“Company-1”), and opened, maintained, and controlled various accounts at banks located in Latvia and Cyprus in the name of Company-2. Thereafter, fraudulent phishing emails were sent to employees and agents of the Victim Companies, which regularly conducted multimillion-dollar transactions with Company-1, directing that money the Victim Companies owed Company-1 for legitimate goods and services be sent to Company-2’s bank accounts in Latvia and Cyprus, which were controlled by RIMASAUSKAS. These emails purported to be from employees and agents of Company-1, and were sent from email accounts that were designed to create the false appearance that they were sent by employees and agents of Company-1, but in truth and in fact, were neither sent nor authorized by Company-1. This scheme succeeded in deceiving the Victim Companies into complying with the fraudulent wiring instructions.
The primary difference between this and other phishing efforts is the amount of money involved. Others have used similar methods--creating fake email addresses, impersonating someone else, etc.--to get what they want. Sometimes that's money, sometimes it's information, and sometimes it's to get closer to the attacker's real target. The motivation doesn't matter. What matters is that these types of attacks are often successful. Do you carefully scrutinize every email you receive from friends, family, or companies with which you're familiar to make sure they're legit?
Most people don't, and one slip-up can have real consequences. Scammers might set up malicious websites masquerading as Netflix's site, for example, to collect personal information that could be used to commit identity theft. Or they might use compromised LinkedIn passwords to access your Skype account, and then use that access to gather information about the people you know. It's like knocking over dominoes: All you have to do is flick the first one and hope all the others fall in response, and if it doesn't work the first time, well, you can always try again.
Acting U.S. Attorney Joon H. Kim said in a press release about Rimasauskas' arrest:
From half a world away, Evaldas Rimasauskas allegedly targeted multinational internet companies and tricked their agents and employees into wiring over $100 million to overseas bank accounts under his control. This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cyber criminals.
The same holds true for us. It's easy to swallow a phishing attempt hook, line, and sinker. The only way to avoid that fate is to remain vigilant by carefully examining questionable emails, making sure we know with whom we're sharing information, and having a backup plan for when things go wrong.