On March 20, Evaldas Rimasauskas, a Lithuanian national, pleaded guilty to one count of wire fraud in an indictment returned in 2017 in the Southern District of New York, for his conduct of a business e-mail compromise (BEC) scheme that led to defrauding Google and Facebook out of $123 million.
According to the Indictment’s allegations, from 2013 through 2015, Rimasauskas orchestrated a fraudulent BEC scheme designed to deceive Google and Facebook (named in the indictment only as “Victim 1,” “Victim 2,” or “the Victim Companies”) into wiring funds to bank accounts that Rimasauskas controlled. In particular, Rimasauskas
registered and incorporated a company in Latvia (“Company-2”) that bore the same name as an Asian-based computer hardware manufacturer (“Company-1”), and opened, maintained, and controlled various accounts at banks located in Latvia and Cyprus in the name of Company-2. Thereafter, fraudulent phishing emails were sent to employees and agents of the Victim Companies, which regularly conducted multimillion-dollar transactions with Company-1, directing that money the Victim Companies owed Company-1 for legitimate goods and services be sent to Company-2’s bank accounts in Latvia and Cyprus, which were controlled by RIMASAUSKAS.
The emails, which purported to be from employees and agents of Company-1,
were sent from email accounts that were designed to create the false appearance that they were sent by employees and agents of Company-1, but in truth and in fact, were neither sent nor authorized by Company-1. This scheme succeeded in deceiving the Victim Companies into complying with the fraudulent wiring instructions.
After Google and Facebook wired funds intended for Company-1 to Company-2’s bank accounts in Latvia and Cyprus, Rimasauskas
caused the stolen funds to be quickly wired into different bank accounts in various locations throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong. [He] also caused forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the Victim Companies, and which bore false corporate stamps embossed with the Victim Companies’ names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer.
Google reportedly sent more than $23 million and Facebook nearly $100 million to bank accounts that Rimasauskas controlled. Google stated that it has recouped its money, and Facebook stated that it recovered most of its money.
Note: The Rimasauskas case is a particularly prominent example of how cybercriminals can set up and carry out a BEC scheme with relative ease. The total gross proceeds it obtained, and the size of the companies that Rimaskauskas defrauded, make it one of the largest BEC schemes conducted in recent years. By contrast, the FBI’s 2018 Operation WireWire against international BEC schemes resulted in the seizure of nearly $2.4 million and the recovery of approximately $14 million in fraudulent wire transfers.
Chief Information Security Officers, Chef Compliance Officers, and comptrollers in companies of all types and sizes should use this case as an opportunity to compare notes about their companies’ external fraud programs and test whether their business processes would detect the kind of BEC scheme that Rimasauskas conducted in this case.