Evaldas Rimasauskas, a Lithuanian national who targeted employees at Google and Facebook with spear-phishing attacks by impersonating a vendor company and swindled $121 Million (£92 million) from both companies between 2013 and 2015, has been sentenced to five years in prison and fined over $49.7 million by the Manhattan federal court today.
Between 2013 and 2015, Rimasauskas impersonated a vendor company named Quanta Computer and demanded payments for goods and services from Google and Facebook employees. He interacted with them via phishing e-mails.
Once he received the said payments, he transferred the money to a number of banks located in countries like Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong. The successful phishing attack not only revealed that even large firms like Google and Facebook are vulnerable, but also the fact that they kept silent about it even after they discovered that they were tricked.
Rimasauskas pleaded guilty for committing the said cyber crimes before the Manhattan federal court in March this year after he was extradited by US authorities in August 2017 to face justice in the country.
"Evaldas Rimasauskas devised an audacious scheme to fleece U.S. companies out of more than $120 million, and then funneled those funds to bank accounts around the globe. Rimasauskas carried out his high-tech theft from halfway across the globe, but he got sentenced to prison right here in Manhattan federal court," said U.S. Attorney Geoffrey S. Berman.
According to a press release issued by the US Department of Justice, aside from sentencing Rimasauskas to five years in prison, the court ordered him to "serve two years of supervised release, to forfeit $49,738,559.41, and to pay restitution in the amount of $26,479,079.24."
Cyber criminals continue to rob large organisations through BEC scams
Even though Google and Facebook eventually recovered the lost funds and Rimasauskas has been forced to face justice, many organisations across the world have suffered irrecoverable losses to similar BEC scams and are struggling to identify fraudsters or to trace their lost money.
As recently as in November, Nikkei announced that an employee at its US subsidiary was duped by a cyber criminal into transferring as much as $29 million (£22.6 million) to the latter's account.
"In late September 2019, an employee of Nikkei America, Inc. (New York City, United States) ("Nikkei America"), a subsidiary of Nikkei Inc. ("Nikkei"), had transferred approximately 29 million United States dollars (approximately 3.2 billion Japanese Yen) of Nikkei America funds based on fraudulent instructions by a malicious third party who purported to be a management executive of Nikkei.
"Currently, we are taking immediate measures to preserve and recover the funds that have been transferred, and taking measures to fully cooperate with the investigations. We are investigating and verifying the details of the facts and causes of this incident," the company said in a press release.
In 2017, employees at India's only government-owned airlines company Air India fell for a phishing scam orchestrated by Nigerian hackers who posed as employees of Pratt & Whitney and duped the latter into transferring $300,000 (£230,905) to a bank account located in Nigeria.
In September 2017, a scammer also conned MacEwan University in Canada out of 11.8 million CAD after he convinced employees to change payment details for a vendor using email communications. After the phishing attack was discovered, the university said that "controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed."