That the phisher was able to dupe the companies, which work with social media, is perhaps the biggest surprise.
A man from Lithuania has been arrested after he conned two large technology firms out of $100 million in an elaborate phishing scheme.
The US Department of Justice (DoJ) said on Tuesday that Evaldas Rimasauskas orchestrated a phishing scheme which targeted US technology giants specifically, and he was able to swindle $100 million by pretending to be a legitimate business partner of at least one of the victims.
The 48-year-old allegedly opened a company with the same name as a legitimate Asian manufacturer in Latvia, alongside multiple bank accounts in both the Eastern European country and Cyprus.
Rimasauskas then allegedly pretended to be the Asian company -- which "regularly conducted multimillion-dollar transactions" with the first unnamed victim and persuaded employees to deposit cash into his bank accounts through emailed messages and email addresses crafted to look like the legitimate Asian PC hardware maker.
The surprising thing may not be that the talented scammer allegedly conned so much out of the two US companies -- while $100 million is a lot to us, for tech giants this is a drop in the ocean -- but that the phishing scheme worked well against companies in the technology sector in the first place.
To make matters worse, the first company is a "multinational technology company," while the second is a "multinational online social media company," and while unnamed, should really have procedures and staff training in place to prevent this happening in the first place.
According to US prosecutors, the stolen money was first wired to the accounts in Latvia and Cyprus before being quickly transferred to other accounts worldwide, including some hosted in Slovakia, Lithuania, Hungary, and Hong Kong.
In order to prevent suspicions being raised at these banks, Rimasauskas forged invoices, contracts, and letters which appeared to have been signed off by executives from the two US victims.
However, suspicions were at last raised at the banks in question and law enforcement began tracking the phisher down.
Rimasauskas is being charged with one count of wire fraud and three counts of money laundering, each of which could land the Lithuanian with 20 years in prison if found to be guilty. In addition, the 48-year-old is also being charged with aggravated identity theft, which carries a minimum sentence of two years behind bars.
"From half a world away, Evaldas Rimasauskas allegedly targeted multinational internet companies and tricked their agents and employees into wiring over $100 million to overseas bank accounts under his control," Acting US Attorney Joon H. Kim said. "This case should serve as a wake-up call to all companies -- even the most sophisticated -- that they too can be victims of phishing attacks by cyber criminals."
"We thank the companies and their banks for acting quickly, coming forward promptly, and cooperating with law enforcement; it led not only to the charges announced today, but also the recovery of much of the stolen funds," Kim added.
The prosecution comes from the DoJ's Complex Frauds and Cybercrime Unit.