Back in March, a Lithuanian man was arrested for duping two unnamed multinational internet companies via an email phishing attack.
Google and Facebook have confirmed that they were the two companies that fell victim to the scam costing them $100 million (£77m).
The man accused of being the scammer, Evaldas Rimasauskas, 48, allegedly posed as a manufacturer in Asia and defrauded the companies from 2013 until 2015, stashing the money in bank accounts across Eastern Europe.
The emails were sent from accounts designed to look like they had come from an Asia-based manufacturer, but they did not.
The US Department of Justice accused Rimasauskas of forging invoices, corporate stamps and email addresses to impersonate Quanta Computer, an Asian-based manufacturer with whom the tech firms regularly did business.
Rimasauskas currently faces extradition proceedings in Lithuania. He and his lawyer, Linas Kuprusevičius denounced the charges and the investigation led in the US.
“Mr Rimasauskas cannot expect a fair and impartial trial in the USA. The uncertainty is further increased taking into account the behaviour of FBI agents during the interrogations of Mr Rimasauskas, frightening him with long years in US prisons, and the transfer of computers to US law enforcement officials, which was made without the presence of the owner,” Kuprusevičius said in an email to Fortune.
Facebook and Google did not confirm how much money was transferred and recouped, but most of the funds have been recovered from both companies.
Security experts said the attack highlights how sophisticated phishing scams can fool even the biggest tech companies. Lee Munson, security researcher at Comparitech commented on the scam: “Phishing or, more appropriately in this case ‘CEO Fraud', poses a huge problem to organisations of all sizes. While technical controls have a small part to play in reducing the likelihood of such an attack being successful, it is staff awareness training that is key here. That a non-technical business could be attacked in this way is, perhaps, forgivable but the same cannot be said for firms operating in the tech sector.”
Paul Calatayud, chief technology officer at FireMon said, “The type of attack both these companies fell pray to did not impact customer data or cooperate intellectual property. Also this scam prays on finance departments rather than the cyber or engineering ‘talent', so any company – no matter how innovative – can become a victim.
“The issue at hand is whether or not these types of events warrant disclosure. Given that both these companies have significant amounts of money in the bank and some was recovered, as the law stands, I don't feel reporting it was necessary. I do feel that we are lacking federal level breach disclosure laws that centre around eliminating public vs. private or material vs. immaterial conditions. We need to drive awareness; and these notifications can serve to benefit other companies. Until we do that, we will remain debating in board rooms whether or not cyber investments are necessary or how likely attacks may be. Like other debates on social forums, many crimes go unreported and this only benefits the criminals by being able to operate in the shadows.”