Cyber Incident Victim: Google
Date:
Jan 2013
Location:
United States of America
Summary
Google and Facebook were defrauded of over $100 million through a sophisticated phishing scheme where a Lithuanian individual impersonated an Asian manufacturer, sending deceptive emails and forged documents to employees handling vendor transactions. The scammer utilized fraudulent invoices and contracts appearing to be authorized by company executives, targeting the firms during periods of operational flux. Both companies recovered the majority of the funds, with one promptly alerting authorities and cooperating in the investigation leading to the perpetrator's arrest. The incident highlights advanced phishing tactics, including CEO fraud, which exploits internal uncertainties during significant business activities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between 2013 and 2015, Google and Facebook were defrauded of over $100 million through a sophisticated phishing scheme orchestrated by Evaldas Rimasauskas, a Lithuanian national. Rimasauskas impersonated an Asia-based manufacturer with which both companies regularly conducted multimillion-dollar transactions. He sent fraudulent emails to employees and agents of the companies, using addresses designed to mimic legitimate correspondence from the Asian firm. These phishing emails contained forged invoices, contracts, and letters that appeared to bear the signatures of company executives. The scheme exploited established business relationships, with fraudulent payment requests timed to coincide with business closures to hinder verification. The U.S. Department of Justice disclosed the unnamed victims in March 2017, later confirmed by Fortune in April 2017 as Google and Facebook. Rimasauskas was arrested and charged with orchestrating the scam, which specifically targeted the companies' vendor management teams responsible for processing large financial transactions.
Google detected the fraud internally and alerted law enforcement, subsequently recouping the transferred funds. Facebook recovered the majority of its losses shortly after discovering the incident and cooperated with authorities. Neither company disclosed exact financial losses or recovery timelines. The DOJ highlighted the use of falsified corporate documentation and executive impersonation to bypass internal controls. This incident exemplified 'CEO fraud,' a phishing subtype exploiting hierarchical authority and time-sensitive requests. Europol contemporaneously noted increased sophistication in such scams, particularly those leveraging corporate events like mergers to create internal confusion. Both organizations resolved the matter through law enforcement collaboration but did not disclose procedural changes or system vulnerabilities enabling the fraud. The case demonstrated the effectiveness of cross-border legal action, as Rimasauskas faced U.S. charges despite operating from Lithuania.