Cyber Incident Victim: Meta
Date:
Jan 2013
Location:
United States of America
Summary
Facebook and Google were defrauded of over $100 million through a sophisticated phishing scheme where a Lithuanian individual impersonated an Asia-based manufacturer, sending fraudulent emails and forged documents to employees. The social media company recovered the majority of the funds and cooperated with authorities, while both firms confirmed falling victim to the multi-year scam involving falsified invoices and contracts designed to mimic legitimate business communications. The incident highlighted vulnerabilities to 'CEO fraud' tactics exploiting high-value transactions and internal verification processes.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In March 2017, the US Department of Justice announced charges against Lithuanian national Evaldas Rimasauskas for orchestrating a multi-year phishing scheme targeting two unnamed US-based internet companies, later confirmed by Fortune in April 2017 to be Facebook and Google. The fraudulent activity occurred between at least 2013 and 2015, during which Rimasauskas allegedly impersonated a legitimate Asia-based manufacturer with which both companies regularly conducted multimillion-dollar transactions. Attackers sent phishing emails to employees and agents of the victim organizations from spoofed email accounts designed to resemble authentic communications from the Asian company. These emails were accompanied by forged invoices, contracts, and letters that fraudulently appeared to bear the signatures of executives from both Facebook and Google. The scheme resulted in the companies wiring over $100 million to bank accounts controlled by the perpetrator, with the fraudulent requests strategically timed to coincide with business hours’ end to complicate verification processes.
Facebook publicly acknowledged its involvement in the incident in April 2017, confirming it had recovered the majority of stolen funds shortly after detecting the fraud. The company cooperated with law enforcement investigations but did not disclose the exact amount transferred or recouped. Google similarly reported detecting the fraud against its vendor management team, alerting authorities, and recovering all misdirected funds, though it likewise withheld specific financial details. The US Department of Justice emphasized the attackers exploited established business relationships between the victims and the impersonated manufacturer, leveraging forged documentation to bypass standard verification procedures. Europol’s contemporaneous reporting contextualized the attack as part of a rising trend in sophisticated "CEO fraud" phishing campaigns, which exploit organizational transitions like mergers to create internal confusion. No technical system breaches or malware deployments were cited in the incident, with the compromise relying entirely on social engineering and document forgery targeting financial workflows.