The recent news that a pretty cheeky Lithuanian chap managed to get major companies including Google to pay him over $120m fraudulently, is in one way, quite amusing – some of us may even have felt a little surge of admiration for his ingenuity!
But the much more serious – and, indeed, disturbing – aspect of this scandal is the fact that it exposes just how shockingly fragile the invoice management process is at not just most firms, but even the biggest – something we have been warning about for a number of years (see The Dead Hand Of The Invoice Process Exception and other pieces on here, including our 2016 look at similar issues, Employee Fraud And Over-Payments: Serious Problems You Need To Address).
Let’s back up for a sec and review what this latest case is all about. Recently, a website called Bleeping Computer revealed that a gentleman called Evaldas Rimasauskas had apparently been able to con an astonishing $100m out of the Google and Facebook accounts payable teams between 2013 to 2015 in a shocking example of a so-called ‘BEC’ (business email compromise) scam (read all the details in the US Department of Justice’s press release about the case here).
How he did it: Rimasauskas registered and incorporated a Latvian company with the same name as the Asian computer hardware manufacturer Quanta Computer. He invoiced his target companies using this name, then hid the resulting payments in multiple bank accounts in banks in Cyprus, Lithuania, Hungary, Slovakia, and Latvia. His method was invoice deception, basically – “[The defendant] caused forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the Victim Companies, and which bore false corporate stamps embossed with the Victim Companies’ names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer.”
With the help of several spoofed emails, and using the fact the two companies had identical names, the scammer was able to trick Google and Facebook employees, as well as the banks they worked with, to make and approve payments to his Latvian company’s bank accounts – an approach that netted him no less than $99m from Facebook and $23m from Google before he was detected.
Those numbers come from separate, Lithuanian, court documents; what we can be sure of is that he’s had to cough up the rather precise sum of Rimasauskas back to Uncle Sam, now he’s been busted. We do also know, by the way, that Google at least says it has got all its money back – we can’t be sure if Zuck has yet (maybe he hasn’t noticed it’s gone yet?).
But let’s be clear – BEC is a rising threat, albeit we nipped this one in the bud: in 2016, the FBI publicly warned that email scam is a “$3.1bn” problem, whose victims range from small businesses to large corporations and across multiple sectors.
So – don’t be a mug! Invest in the best anti-BEC defence you possibly can… because if the smart folks in the finance departments of two of the biggest tech companies on the planet can fall for this stuff, what makes you think you – or your clients? – are immune?