Phishing makes the headlines for stealing personal data but it's a criminal cyber attack called "invoice fraud" or "business email compromise" that's the most financially devastating for business firms. Losses to this scam reach hundreds of millions of dollars and are on the rise.
Google lost some $23 million while Facebook was fleeced out of $100 million over a period of two years by a Lithuanian man named Evaldas Rimasauskas. According to U.S. Department of Justice (DOJ), Rimasauskas, 50, "forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of (Google and Facebook), and which bore false corporate stamps embossed with (their) names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer."
Google and Facebook wired funds to Rimasauskas' "bank accounts in Latvia and Cyprus." The money was then, "quickly wired into different bank accounts in various locations throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong," said the DOJ.
Rimasauskas was eventually arrested by the feds and pleaded guilty to wire fraud just last week. Google and Facebook claimed they recovered most of the money they wired Rimasauskas.
Cybersecurity experts describe invoice fraud as a type of fraud where a criminal pretending to be a business partner or vendor convinces a target company to transfer huge sums of money to an offshore account as "payment" for fake services that were never rendered.
For the scam to work, the criminals have to convincingly spoof the email address of a known business partner like an attorney or vendor. Then, the criminal emails a convincing invoice or demands a wire transfer for the alleged services rendered. Often, the victim's accounting office doesn't realize it's fraud and sends the money.
Cybersecurity experts warn that invoice fraud is actually the biggest problem in cybersecurity today because it inflicts immediate, and sometimes, devastating financial losses. In contrast, better-known cyber attacks such as phishing cause reputational damage by stealing client details such as social security numbers, addresses and passwords.
Experts cited the case of a U.S. trading firm that lost over 60 percent of its total capital to business email compromise in just 21 days. And, of course, one wonders how Google and Facebook could allow themselves to be duped out of tens of millions of dollars by a lone Lithuanian.
The FBI reveals the amount of money invoice fraud scammers attempted to steal jumped 136% between December 2016 and May 2018. Overall, e-mail scammers targeted more than $12 billion worldwide between October 2013 and May 2018.
The FBI and the Department of Homeland Security reveal practical steps that will help business firms avoid invoice fraud.
Firms must Inform employees of how this type of fraud works and how they should handle invoices. The feds say firms should be especially alert when payment terms suddenly change, or a vendor asks for funds to be sent to a different bank account than usual.
Firms should also consider requiring two parties to sign-off on all payment transfers, instead of just having one person responsible.
It will also be wise to talk to the bank about establishing special protocols (like voice verification) into the wire transfer process.
Companies that think they might be a victim should immediately call the originating bank and request a wiring recall. They should also preserve all messages and other evidence associated with the fraud.
Victims can file a complaint with the FBI's Internet Crime Complaint Center (IC3).
