Facebook, Google lose $100 million to advanced phishing scam

When it comes to cybercrime, it's clear no one is immune. 

Not the U.S. government, which has suffered major breaches of highly sensitive personnel information and its advanced hacking tools and plans

Not even the big technology companies like Facebook and Google, who Fortune revealed on Friday were the two previously unnamed U.S. firms that lost $100 million to an advanced phishing scam

Beginning in 2013, a Lithuanian man is alleged to have launched an ambitious scam that included forged e-mail addresses, invoices and corporate stamps that were designed to impersonate an Asian manufacturing supplier. The aim was to to trick the firms into paying for bogus computer supplies. From Fortune's story:

"The scheme worked. Over a two-year span, the corporate imposter convinced accounting departments at the two tech companies to make transfers worth tens of millions of dollars. By the time the firms figured out what was going on, Rimasauskas had coaxed out over $100 million in payments, which he promptly stashed in bank accounts across Eastern Europe."

Key lessons

It's not a tech problem.

The first lesson for everyone is that you can't simply rely on technology-based tools and approaches to combat cybercrime. Odds are pretty high that Facebook and Google have among the world's best security tools. 

This scam worked because it wasn't a technology-based hack. It was a people-focused hack. By looking legitimate enough, cybercriminals take advantage of people's trust in technology and they benefit from non-technology based security controls such as multi-party verification of transactions. 


The second lesson is around cybercrime and materiality of events with respect to investor rights to know about issues and incidents. While losing $100 million may not be financially material to these two firms, there is another aspect of materiality worth considering. From Fortune:

"But the “material event” in this case may amount to more than the company losing some money, according to White, who was aware of the indictment when she spoke to Fortune, but not the identity of the companies involved.

“I think companies need to be looking more broadly than that - not just at operational direct loss,” said White. “There’s the possibility of reputational damage. What does this say about internal controls over assets?”

Facebook and Google declined to comment, but people close the companies suggested they had decided the Rimasauskas fraud was not material enough to require disclosure of it."

Tackling cybercrime and cybersecurity effectively requires a new approach to measuring, managing and monitoring cyber risk that helps firms understand the total picture - people, process, culture and technology. 

That's why we've built Beauceron. If you're ready to learn more about our innovative and affordable approach, schedule a demo of our platform

David Shipley, BA, MBA, CISM  is the CEO and co-founder of Beauceron Security Inc. He frequently writes about cybersecurity issues and often speaks to regional and national media about cybersecurity and cybercrime.