Google, Facebook Employees Targeted In $100M Phishing Scam

Image courtesy of Sol Es

When the Justice Department recently said that two major tech companies had paid out a total of $100 million to a scammer posing as a hardware manufacturer, it chose to not name the businesses that had been conned. But now, both Google and Facebook are confirming that they were the ones victimized by this phishing scheme.

Some background, first: According to federal officials, the scam dates back to 2013, when a Lithuanian man named Evaldas Rimašauskas allegedly used fake email addresses, invoices, and corporate stamps and pretended to be a large manufacturer that regularly did business with two companies.

He is then accused of emailing employees at the two companies and tricking them into transferring $100 million worth of payments to him.

In March, Taiwan-based Quanta Computer Inc. acknowledged that the alleged scammer had impersonated the company to deceive his victims. However, the DOJ remained mum on the identities of the targeted companies: In the initial press release issued by the agency, the victims were only identified as a “multinational technology company, specializing in Internet-related services and products” and “a multinational corporation providing online social media and networking services.”

Now, Fortune says an investigation has revealed that the first company is Google, and the second is Facebook. Both companies confirmed to the site that they paid money to the impostor.

“Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation,” a company spokesperson said.

Google also admitted it was a victim.

“We detected this fraud against our vendor management team and promptly alerted the authorities. We recouped the funds and we’re pleased this matter is resolved,” a Google spokesperson told Fortune.

Why would the DOJ remain silent on the identities of the companies? The U.S. Attorney’s office in Manhattan declined to explain, but sources told Fortune that the DOJ will probably name the tech companies after Rimašauskas is extradited, possibly in a few months.

Fortune raises another good question, noting that neither company informed investors about the wire fraud scam: As publicly traded companies, should Google and Facebook be required to disclose such an incident as a “material event” — something that affects an organization’s strategic direction, mission, or business operation — to their shareholders?

It depends on the nature of the incident, a former head of the Securities and Exchange Commission explained to Fortune: If it’s just a matter of losing some money — in this case, practically petty change for the tech giants — then it might not be material enough to merit a disclosure.

Money isn’t always the most important factor, however, as a company’s reputation can be seriously dinged by such incidents. Yahoo learned that lesson the hard way when Verizon required it prove that the massive data breach that affected at least 500 million Yahoo users was not a material event.

Both Google and Facebook declined to comment to Fortune on that front, but insiders indicated to the site that the scam wasn’t material enough to warrant a disclosure.