numbers, SKU numbers, pricing, terms, invoice formats or other information for not one but two major companies. It’s not clear from the indictment or news reports how the criminals knew valid P.O. Weren’t there purchase orders that the invoices should have matched before they were approved and released for payment? In this case, the approvers were most likely familiar with Quanta and the types of purchases they usually made from them, so they probably had no reason to question the invoices. But shouldn’t a human have approved the payment?Īs a part of their internal financial controls, most companies require business users to approve invoices. Many companies only require vendors to email their invoices to an accounts payable email address there aren’t any checks in place to ensure that those invoices are coming from a legitimate vendor. Using a fairly common phishing practice, Rimasauskas and his co-conspirators sent spoofed emails-emails designed to look like they came from Quanta accounts-to the companies’ AP departments. How were the employees fooled by the fake invoices? And from those bank accounts in Latvia and Cyprus, Rimasauskas laundered the funds by quickly wiring the money into accounts not only in Latvia and Cyprus, but in Slovakia, Lithuania, Hungary and Hong Kong. Next, he sent fake emails and invoices to Facebook and Google and directed unsuspecting employees to wire payments to the fraudulent bank accounts that he controlled. He then proceeded to open bank accounts in the company’s name in Cyprus and Latvia. attorney’s office, Rimasauskas registered and incorporated a company with the same name as Taiwan-based electronics manufacturer Quanta Computer, which supplies computer hardware to major tech companies. A sophisticated phishing scamįrom 2013 to 2015, Rimasauskas orchestrated a combined phishing and invoice scheme targeting Google and Facebook, who confirmed to NPR that they were the companies referred to by the DOJ as “a multinational technology company” and “a multinational online social media company.”Īccording to the 2016 indictment filed in the U.S. And more importantly, let’s look at how you can avoid falling victim to a similar hoax. Let’s take a look at how the criminals took advantage of common “best-in-class” accounts payable (AP) processes and practices. Department of Justice portrayed the crime as a fraudulent business email compromise (BEC) attack, but it’s worth noting that the victims aren’t small mom-and-pop businesses-they’re sophisticated, well-established companies with mature business processes and state-of-the-art procurement and ERP systems. Impersonating a company with whom both tech giants do business, Rimasauskas sent fake phishing emails containing forged invoices and convinced the companies to wire funds to bank accounts he controlled. By now you may have heard about Evaldas Rimasauskas, the Lithuanian man who pled guilty in March of this year to scamming Facebook and Google out of more than $100 million.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |