The world wide web can be a pretty hectic place if you’re careless. Things like malware, ransomware, and phishing are part of our daily internet experience. As long as you know what they mean and how to protect yourself against them, you shouldn’t be affected. But one wrong step and hackers can walk away with some of your cash or access to your private data. Even if you’re Google or Facebook. And it turns out a hacker scammed these internet giants out of over $100 million.
Last month, the US Department of Justice indicted a Lithuanian man for “orchestrating a fraudulent business email compromise scheme that induced two U.S.-based internet companies,” CNET reports.
At the time, the DOJ did not reveal what these companies are, but Fortune discovered they’re none other than Google and Facebook.
You’d think that the employees of internet companies would be even better trained than regular people at spotting malicious attacks. But if the hackers sound convincing enough, they might still get away with the scam. At least initially.
Evaldas Rimasauskas, a 40-something man, came up with the scheme in 2013. He forged email addresses, invoices, and corporate stamps to impersonate a large Asian-based manufacturer that did business with these companies regularly.
Rimasauskas impersonated Quanta Computer, Fortune’s investigation revealed. Over two years, Rimasauskas convinced the accounting departments of both Facebook and Google to make transfers of over $100 million, which were then stashed in banks in Eastern Europe. The man says he didn’t do it.
It appears this type of heist is pretty common, but the operation targeting Google and Facebook stood out for its scale, a person familiar with the investigation started by the US Attorney’s Office in Manhattan. Apparently, Facebook approached law enforcement, looking to get its money back.
“Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation,” Facebook confirmed to Fortune.
Google also confirmed the fraud. “We detected this fraud against our vendor management team and promptly alerted the authorities. We recouped the funds, and we’re pleased this matter is resolved,” a Google spokesperson said.
However, neither company disclosed the scam in any of the documentation they regularly file with the SEC.