A man used a business email compromise (BEC) scam to defraud two internet companies based in the United States out of 100 million dollars.
On 21 March, the FBI along with the U.S. Attorney’s Office for the Southern District of New York announced criminal charges against Evaldas Rimasauskas, 48, of Vilnius, Lithuania. Lithuanian authorities arrested Rimasauskas in mid-March. They did so on the basis of a provisional arrest warrant that alleges the man orchestrated a wire fraud scheme that targeted U.S. firms.
In or around 2013, Rimasauskas set his plan in motion when he incorporated a company in Latvia (“Company-2”) that bore the same name as a computer hardware manufacturer based in Asia (“Company-1”). He also opened numerous bank accounts for Company-2 in Latvia and Cyprus.
From there, it was just a matter of perpetrating a business email compromise (BEC) scam against companies that regularly dealt with Company-1. But unlike regular BEC ruses, which have cost victims more than $3 billion since 2013, Rimasauskas didn’t hack any email accounts belong to Company-1. He instead relied on the similarities between Company-1 and Company-2 to work in his favor.
The U.S. Department of Justice elaborates on this point in a blog post:
“… [F]raudulent phishing emails were sent to employees and agents of the Victim Companies, which regularly conducted multimillion-dollar transactions with Company-1, directing that money the Victim Companies owed Company-1 for legitimate goods and services be sent to Company-2’s bank accounts in Latvia and Cyprus, which were controlled by RIMASAUSKAS. These emails purported to be from employees and agents of Company-1, and were sent from email accounts that were designed to create the false appearance that they were sent by employees and agents of Company-1, but in truth and in fact, were neither sent nor authorized by Company-1. This scheme succeeded in deceiving the Victim Companies into complying with the fraudulent wiring instructions.”
In total, Rimasauskas stole $100 million from two victim U.S. companies, a multinational technology company and a multinational social media company. Once they wired over the funds, he moved them to bank accounts under his control. He even forged letters that appeared to have originated from the Victim Companies to authorize the account transfers.
Rimasauskas is charged with one count of wire fraud and three counts of money laundering, each of which carries a maximum sentence of 20 years in prison. He also faces one count of aggravated identity theft, which carries a mandatory minimum sentence of two years in prison.
Organizations can protect themselves against attackers like Rimasauskas by educating their employees about phishing attacks. This resource is a good place to start.