While what he did was at least equal parts forgery and phishing scam, Evaldas Rimasauskas’ social engineering abilities and apparent deep knowledge of corporate invoicing processes allowed him to take two of the world’s biggest tech companies for $100 million using little more than an email account.
Rimasauskas, a citizen of Lithuania, targeted Facebook and Google. He posed as Quanta Computer, a Taiwan-based computer hardware manufacturer that does substantial business with most of the world’s big tech names. Using email spoofing and forged paperwork, Rimasauskas convinced each company to pay fraudulent invoices worth tens of millions of dollars.
There are a number of unnamed co-conspirators, but Rimasauskas appears to have been the ringleader based on the charges. He was arrested in Lithuania and extradited to the United States, where he is scheduled to be sentenced on wire fraud charges in July. Rimasauskas pleaded guilty to all charges.
How the phishing scam unfolded
The nucleus of the scheme was a fake “Quanta Computer” that Rimasauskas incorporated in Latvia in 2013, opening and maintaining bank accounts in the company’s name there and in Cyprus.
Rimasauskas then set up email accounts that appeared to be those of legitimate Quanta Computer employees, and used these to send invoices to Google and Facebook. He supported these invoice requests and attempted to evade bank scrutiny with contracts and letters that had the forged signatures of company executives on them, and in some cases even had false embossed corporate seals.
The scam took $98 million from Facebook in 2015. Rimasauskas extracted $23 million from Google, but both companies have recovered most of that money since the scheme was discovered and Rimasauskas was arrested. The maximum sentence is 30 years in prison.
Business email compromise
Rimasauskas’ crime is one of the gaudiest examples of this sort of thing, but it’s hardly an isolated event. In fact, just as Rimasauskas was beginning his scheme in 2013, the FBI was issuing an early cyber security warning about exactly this type of crime becoming an emerging threat.
The FBI refers to this phishing scam as “business email compromise” or “CEO impersonation.” The scammers usually prefer to impersonate the CEO given that they have the highest level of authority over finances, but they’ll take a CFO or even someone farther down the chain so long as they have the ability to issue payments.
It has evolved into a complicated criminal art that employs many different facets of cybercrime, often even more sophisticated than the approach that Rimasauskas and his associates used. However, there is a central organizing principle to this type of phishing scam: the use of deception to appear to be a legitimate business partner and to use that trust to get payments issued.
Big companies in the U.S. and Europe are the primary targets of this phishing scam. Scammers prefer companies that regularly do business with another large company, such that regular payments of large amounts of money are not uncommon and are generally approved quickly. Large companies are simply a preference, however; scammers will target smaller firms when they see an opportunity. The FBI estimates that this type of crime is growing in popularity, and has hit companies for at least $3 billion since the beginning of 2015.
In addition to CEOs and CFOs, scammers often target particular members of the company’s finance department using whatever personal information they can find. They may deploy phishing emails or malware to help smooth the path. They can either attempt to manipulate the employee into issuing payments (as Rimasauskas did), or try to use malware to get direct access to the payment system.
Some of the breathless headlines about the Rimasauskas case indicating that he “just asked for the money” are selling short the sophistication with which he conducted his fraudulent scheme. A lot of careful forgery and knowledge of the internal finance workings of the involved companies is needed to pull these attacks off. The FBI warns that attackers will often use malware or compromised accounts to breach the target network in advance and lay low, observing the billing systems and internal communications for weeks before making any kind of a move.
How companies can protect themselves against business email compromise
Most countries and localities have protections against the registration of identical or overly similar company names. Rimasauskas took advantage of relatively loose rules in Latvia, which has had ongoing issues with fraudulent company registrations driven by its popularity as a place to launder money. Communications coming from countries known for this sort of phishing scam can be an early warning, particularly if business partners were not previously known to have a presence there.
If a fraudster does manage to orchestrate a scheme such as this, early detection is critical. These attacks are usually carried out by organized groups that will immediately use mules to launder the money once received. Regular reviews of invoices and payment-related communications for accuracy can help tremendously here. For example, scammers often register a domain name or company email address that looks very much like that of a legitimate actor, but has one very subtle difference – perhaps a period out of place or a dash replaced with an underscore. Checking documents to verify that all of this contact information remains consistent over time can provide vital early warning that something is off.
It is also possible to adjust payment processes to bake protections against business email compromise into normal procedure. One idea is to implement two-factor authentication whenever a payment is made; for example, require phone verification. Email systems can also be tweaked to do things like automatically flag any messages where the “from” and “reply” addresses do not exactly match, or to automatically display text coming from an internal company account in a certain color. This will help to more quickly identify communications from a phishing site.
If you’ve been hit by a phishing scam, the first step is to contact your bank and have them get in touch with whatever institution the money was sent to. You should also get in touch with the relevant authorities to report phishing – for example, in the United States the FBI investigates this type of crime and will accept complaints about phishing attacks from any business of any size.
As with all fraud of this nature, the absolute best defense against such a phishing scam is in-person verification. The scammer is ultimately going to have to impersonate someone at the company; contacting the company to speak to this person directly will quickly tell you if it is a legitimate request or not.