Google and Facebook Fell for Invoice Scam That Cost the Companies $100M

Evaldas Rimasauskas, a Lithuanian citizen, concocted a brazen scheme that allowed him to bilk Facebook and Google out of more than $100 million. The crime defrauded Google of $23 million and Facebook of $99 million.

Rimasauskas committed the crimes between 2013 to 2015, an indictment was issued in 2017, and he was formally indicted Wednesday in New York after he pleaded guilty to wire fraud, aggravated identity theft, and three counts of money laundering.

"As Evaldas Rimasauskas admitted today, he devised a blatant scheme to fleece U.S. companies out of over $100 million, and then siphoned those funds to bank accounts around the globe," said U.S. Attorney Geoffrey S. Berman in a DoJ press release.

How did he do it? The indictment reveals that he simply billed the companies for the amounts and they paid the bills. Rimasauskas was able to trick company employees into wiring the money to multiple bank accounts that he controlled and had set up in institutions in Cyprus, Lithuania, Hungary, Slovakia, and Latvia.

The invoices were sent in the name of Quanta Computer, one of the largest computer and electronics manufacturers in all of Asia. Quanta supplies or has supplied products to most of the world's largest electronics companies, including Apple, HP, Lenovo, and others. Quanta is also one of the major manufacturers of hardware products for Google and Facebook.

While Google is better known for its software, the company has a robust and growing hardware business that includes Chromebook computers, Pixel phones, smart speakers, and the Nest line of home security products and thermostats. Facebook has a smaller hardware business consisting of video cameras under the Portal name that they are struggling to sell.

To convince employees at the two companies to wire these funds, Rimasauskas sent forged invoices, letters, and contracts that looked as if they were written by executives of these companies authorizing the payments. They even forged corporate stamps.

Once Rimasauskas received the funds in his accounts, he tried to cover his tracks by redistributing the money to other bank accounts he held in six other countries.

In his guilty plea Wednesday, Rimasauskas agreed to forfeit nearly $50 million to the United States, which represents the amount of the proceeds traceable to the offense of the first count of the indictment that the defendant personally obtained.

Rimasauskas could receive a maximum sentence of 30 years of jail time if he's found guilty of the charges, including wire fraud, aggravated identity theft, and three counts of money laundering charges. Sentencing will occur in July.

Apparently, this type of crime is on the rise. The FBI's Internet Crime Complaint Center issued a warning in 2016 that such attacks have amounted to more than $3 billion in three years.

This incident was first reported by Bleeping Computer.