By now you may have heard about Evaldas Rimasauskas, the Lithuanian man who pled guilty in March of this year to scamming Facebook and Google out of more than $100 million. Impersonating a company with whom both tech giants do business, Rimasauskas sent fake phishing emails containing forged invoices and convinced the companies to wire funds to bank accounts he controlled.
The U.S. Department of Justice portrayed the crime as a fraudulent business email compromise (BEC) attack, but it’s worth noting that the victims aren’t small mom-and-pop businesses—they’re sophisticated, well-established companies with mature business processes and state-of-the-art procurement and ERP systems. So why did they fall for this scheme?
Let’s take a look at how the criminals took advantage of common “best-in-class” accounts payable (AP) processes and practices. And more importantly, let’s look at how you can avoid falling victim to a similar hoax.
From 2013 to 2015, Rimasauskas orchestrated a combined phishing and invoice scheme targeting Google and Facebook, who confirmed to NPR that they were the companies referred to by the DOJ as “a multinational technology company” and “a multinational online social media company.”
According to the 2016 indictment filed in the U.S. attorney’s office, Rimasauskas registered and incorporated a company with the same name as Taiwan-based electronics manufacturer Quanta Computer, which supplies computer hardware to major tech companies. He then proceeded to open bank accounts in the company’s name in Cyprus and Latvia.
Next, he sent fake emails and invoices to Facebook and Google and directed unsuspecting employees to wire payments to the fraudulent bank accounts that he controlled. And from those bank accounts in Latvia and Cyprus, Rimasauskas laundered the funds by quickly wiring the money into accounts not only in Latvia and Cyprus, but in Slovakia, Lithuania, Hungary and Hong Kong.
How were the employees fooled by the fake invoices?
Using a fairly common phishing practice, Rimasauskas and his co-conspirators sent spoofed emails—emails designed to look like they came from Quanta accounts—to the companies’ AP departments. Many companies only require vendors to email their invoices to an accounts payable email address; there aren’t any checks in place to ensure that those invoices are coming from a legitimate vendor.
But shouldn’t a human have approved the payment?
As a part of their internal financial controls, most companies require business users to approve invoices. In this case, the approvers were most likely familiar with Quanta and the types of purchases they usually made from them, so they probably had no reason to question the invoices.
Weren’t there purchase orders that the invoices should have matched before they were approved and released for payment?
Yes. It’s not clear from the indictment or news reports how the criminals knew valid P.O. numbers, SKU numbers, pricing, terms, invoice formats or other information for not one but two major companies. One assumption we could make is that they had insider information of some sort from Quanta and therefore could produce invoices with the right PO and line-item information on them.
Why didn’t Facebook and Google realize that the bank accounts to which they were asked to wire money weren’t the same as the Asia-based Quanta accounts on record?
The scammers used correspondent banks in New York and other cities, no doubt realizing that a request to wire funds to Latvia might have aroused suspicion.
How were the companies fooled into transferring such large sums of money?
As some observers have pointed out, the idea that Rimasauskas “just asked the companies for money” sells short the scheme’s high level of sophistication. In addition to being a talented forger, he clearly had in-depth knowledge of big companies’ internal finance operations. Companies like Facebook and Google use advanced invoice and contract management software and follow industry-standard practices such as the three-way match, which verifies price and unit numbers across purchases, invoices, and receipts.
The fact that Rimasauskas was able to skirt these controls indicates that standards like the three-way match may no longer be enough to reconcile documents and prevent overpayments—or outright fraud.
If the sophistication of Rimasauskas’ scheme was able to defeat the best-in-class procurement system and AP process of a Facebook or Google, what hope do companies have for detecting and stopping overpayments? Here are a few strategies that can work.
The problem with emailed invoices is that they must either be keyed in manually by AP staff or entered into invoice automation software, leaving you exposed to errors or scams. When it comes to preventing phishing scams, electronic invoicing through electronic exchange like XML is a much better option than invoices that are emailed as attachments or even sent by snail mail. You may not be able to control what vendors send to you; however, by putting the right controls and technology in place, you can quickly detect fraudulent invoices before they’re paid.
A vendor request to add or change a bank account should always require a confirmation phone call or other human verification. Solutions like AppZen use AI and data augmentation techniques to detect suspicious activity even when such requests are made electronically.
Purchase orders serve an important function—they verify that approved funding is in place—but they don’t confirm whether goods or services are actually received. For inventory items, a good receipt in the warehouse works as part of the P.O. matching process, but for non-inventory items such as services, procurement systems rely on human requestors to perform a goods receipt or provide approval to fulfill the control of a three-way match.
The problem is that in large organizations (or even smaller ones), it’s impossible for business approvers to accurately determine if every product or service was received as ordered or contracted. As a result, they often rely on their familiarity with the product or service or their knowledge that it’s in the budget, and they end up approving invoices as a matter of routine. Unfortunately, this leaves the process open to error or fraud.
Instead of depending entirely on humans, consider a solution with AI auditing technology that can confirm that receipt of products or services. For example, AppZen can look at unstructured data like ticketing systems, badge data, network logins, and tracking numbers. AI can easily verify whether a product was indeed part of a new shipment and not referenced in previous invoices or already received. Our AI can spot discrepancies and duplicate transactions and to recognize invoice patterns that humans can’t easily see, alerting business approvers if it detects a risk so they can make informed decisions.
Rimasauskas was eventually caught and extradited to the United States in 2017, where he was charged with wire fraud, money laundering, and identity theft, although he’s only pleaded guilty to wire fraud. He now faces up to 30 years in prison.
"Rimasauskas thought he could hide behind a computer screen halfway across the world while he conducted his fraudulent scheme,” said U.S. Attorney Geoffrey Berman in a statement, “but as he has learned, the arms of American justice are long, and he now faces significant time in a U.S. prison."
But even though the indictment mentions co-conspirators, Rimasauskas is the only person who has been charged with in connection the crime, meaning he’s potentially part of a larger organization lurking in cyberspace. The risk from similar swindles is growing exponentially: The FBI’s Internet Crime Complaint Center warns that BEC scams are up by 1,300% since 2015 and estimates that companies have been defrauded of more than $3 billion.
Reviewing every invoice you receive is critical if you want to protect your company from falling victim to scams like the one that targeted Facebook and Google. With AppZen’s AI platform, you can audit 100% of your invoices before you pay them, flagging only high-risk spend like errors or fraud for manual review.