A Lithuanian man swindled two US tech companies out of over $100 million after he tricked employees into wiring money to his own company's bank accounts.
In an indictment unsealed yesterday, the US Department of Justice didn't name the two companies, but said one was "a multinational technology company, specializing in Internet-related services," while the second was also "a multinational corporation providing online social media and networking services."
The connection between these two was an Asian-based manufacturer of computer hardware, with which both US companies had business relations. Most likely this was a company providing server hardware, as most major US tech companies like to run their own data centers.
According to the indictment, PDF here, Evaldas Rimasauskas, the 48-year-old Lithuanian behind the scams, had set up his own business in Lithuania under the same name of the Asian hardware provider.
Using spoofed emails and the fact the two companies had identical names, between 2013 and 2015, the scammer tricked employees at the two US companies, and even banks, into making and approving payments to his own company's bank accounts, which he quickly distributed to other bank accounts in six other countries.
In recent years, this type of fraud that heavily relies on electronic communications, such as emails, has been referred to under different names, such as whaling attacks, BEC (Bussiness Email Compromise), or CEO fraud.
What set this scam apart from similar incidents was not the techniques the attacker used, but the enormous amount of funds he managed to steal.
Previous incidents in which attackers managed to steal massive amounts of money using this simple technique include: FACC, an Austrian manufacturer of airplane parts (lost $56.79 million, CEO was later fired), Leoni, a German manufacturer of wires and electrical cables (lost $45 million), and Crelan, a Belgian bank (lost $76 million).
The FBI's Internet Crime Complaint Center (IC3) warned last June that BECs (Business Email Compromise) had defrauded companies around the world of over $3 billion since October 2013.
Rimasauskas faces a total of 82 years in prison for one count of wire fraud, three counts of money laundering, and one count of aggravated identity theft.