If you’ve ever been duped by a phishing scam, you can feel a little less stupid about it today, because you’ve been joined in that sad club by Google and Facebook.Phishing attacks, where scammers pose as a trusted company or person via email and trick people into—for example—clicking a link, signing into a fake website, or even handing over their bank details, are a huge problem. And it works surprisingly often, particularly on older people (and senior members of Hillary Clinton’s campaign staff). But it seems even the world’s largest internet companies—organizations that have shaped the internet itself—are not immune from such attacks.A few weeks ago, the Justice Department announced that it had arrested a Lithuanian man in connection with a phishing attack that scammed two unnamed US tech companies out of a total of $100 million. Now, an investigation by Fortune has revealed that those two companies are Facebook and Google.The scam was pretty sophisticated. Between 2013 and 2015, Evaldas Rimasauskas allegedly posed as a Taiwanese parts manufacturer named Quanta—which both companies do business with—through his own company with the same name registered in Latvia. He created fake email addresses and invoices for computer supplies, convincing the companies to make transfers totaling $100 million, which he then wired to bank accounts around the world. Rimasauskas denies the charge.