No one wants to admit they fell for an email phishing scam, much less admit how much it ended up costing them. This time, the victims were tech giants Facebook and Google, and the price tag was a hefty $100+ million from 2013 to 2015. It was a basic email phishing scam that did the trick. Facebook and Google employees fell for a classic and painfully common phishing scam: “Send us money,” and boy did they ever. Red faces aside, both companies learned a very pricey lesson–employees are often the first line of defense with email phishing. It’s not exactly a revelation, but rather the simple truth.
This time, authorities found and charged the man behind the scam, a Lithuanian citizen with the last name Rimasauskas, who commandeered the hack from his home country. It was incredibly effective, where the perpetrator “forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents,” according to authorities. Many scam emails were sent to Facebook and Google employees, with Rimasauskas posing as the Taiwan-based Quanta Computer company that actually makes multi-million dollar transactions with both Facebook and Google.
The emails contained very legitimate-looking invoices, including fake supporting documents and corporate seals. Employees assumed the invoices were part of business as usual, paying them and many others. According to US Attorney Geoffrey Berman, the mastermind “thought he could hide behind a computer screen halfway across the world…but as he has learned, the arms of American justice are long, and he now faces significant time in a US prison.”
Although it’s cold comfort the perpetrator was finally caught, both Facebook and Google learned the most basic of lessons–email phishing attacks work. Even though the email hack had a solid plan behind it, what enabled the scam to work were fake invoices sent via email. It was that simple. Although Facebook and Google recouped much of their losses, the lessons learned from this catastrophic fraud are basic and can be applied by everyday users.
Hacker’s take any information they can find on individuals on social media, especially from work-related sites like LinkedIn. The PII (Personally Identifiable Information) found on these sites supplies ammunition for email phishing. PII posted on LinkedIn involving a job title and work duties announce to hackers the best way to infiltrate an inbox with targeted emails that are very likely to get opened and acted upon. Remember, these emails often contain malware attachments and links that redirect the user to bogus websites designed to steal even more PII. Always carefully consider what information about your organization and role you disclose on social media. Be vague, especially if you work in finance or human resources related departments. The information you make public may be used against you for a business email compromise attack (BEC) like this one.
Companies, on the other hand, need to educate employees about a basic threat like email phishing and how to avoid it. Company staff needs to be aware of just how much PII they put on social media sites, especially on work-oriented sites like LinkedIn. In the case of the Facebook and Google phishing hack, the perpetrator was caught and faces up to 30 years in prison. But for individuals and small-to-medium-sized businesses that are simply trying to survive, cyber education and attention to PII are key to online survival.