Facebook and Google Scammed Out of Millions - Stark Reminder That Anyone Can Be a Victim

There is another reminder that businesses, regardless of size should continue to be vigilant with cybersecurity training and awareness programs. Two large and well-known organizations were targeted in a business email compromise (BEC) scam that resulted in significant financial losses to them. While it isn’t the first time BEC has been seen in the news, the amount of money involved and the companies may be surprising.

In March, the U.S. Department of Justice (DOJ) said that someone from overseas created a company impersonating an “Asian-based manufacturer of computer hardware” that just happened to have dealings with Google and Facebook. The Taiwanese computer company, Quanta Computer (Quanta) was identified as the impersonated computer manufacturer.

It was an elaborate and very well planned phishing scam indeed. The suspect, Evaldas Rimasauskas registered and incorporated a company in Latvia using the Quanta name. He then opened and managed bank accounts in Latvia and Cypress. He constructed email messages pretending to be the vendor and sent them to targeted employees at Google and Facebook. The resulting damage was theft of over $100 million from the companies that those employees authorized to be wired to Rimasauskas’ overseas bank accounts.

It is easy to get in a rush and just quickly respond to email messages. Most employees receive anywhere from 50-300 email messages any given day. It is understandable that mistakes are made. However, when it comes to those who have authority to set up or wire money to and from the company financial accounts, it is crucial to confirm any requests for these actions.

Organizations also should have clear processes in place for wire transfers.

These should include:

-A requirement for any transfers to be confirmed by multiple people
-A confirmation step with the vendor or third party contact by telephone or in some other manner besides replying to any messages
-Thorough validation that the sender’s email address is legitimate
-Procedures for what to do should there be a mistake

You might be asking how Rimasauskas knew the employees to target. Consider the amount of and type of information that people publish on their social networking and/or business networking sites. LinkedIn has most, if not all of the information someone attempting a scam such as this one needs. So consider preparing guidelines for them so that they don’t give away so much information.

In a press release regarding this case, acting U.S. Attorney John H. Kim said, “This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cyber criminals.”

© Copyright 2017 Stickley on Security