Blake Dowling
From 2013 to 2015, Evaldas Rimasauskas sent fraudulent invoices totaling over $100 million to tech giants. Google and Facebook allegedly paid them.
Evaldas was the godfather of a new way for hackers and criminals to use cyber tools to defraud us.
Legal Match calls this type of crime invoice fraud.
Invoice fraud? The marketing team over at Legal Match must have worked many seconds on that catchy name, right? Regardless, it is becoming a massive problem.
The FBI refers to this as another type of Business Email Compromise (BEC attack) crime as the invoices are generally sent via email. For example, requests for gift cards, wire transfers, or other email fraud, make sure this type of crime is on your radar.
For today’s exercise, let’s call this type of crime “invoiceseption” or “fraudvoice.” (Thank you ChatGPT.)
So, how did Evaldas pull off this cyber caper?
First, he did his homework. From his home in Lithuania, Evaldas located an actual vendor doing business with both tech companies and impersonated that company.
The vendor he impersonated was an Asia-based firm named Quanta Computer Inc.
Evaldas registered a company in Latvia with the same or similar name, stole their logo, and forged contracts and corporate stamps. We assume he also registered fake websites for emails resembling Quanta’s actual domain and email accounts.
Once Evaldas was in gear, he launched invoices to American tech giants and soon thereafter started collecting massive sums of money.
Unable to avoid the law, Evaldas was eventually caught in 2019. He was sentenced to five years in jail in New York and ordered to pay back the money.
Even though Evaldas is behind bars, his ideas have influenced many cybercriminals. Why go to all the trouble of buying ransomware tool kits on the dark web or taking time to hack into a network when you can just send fake invoices?
In Florida, we are starting to see an uptick in this type of crime.
Last year, a fake invoice was sent to the City of Ft. Lauderdale, which appeared to be from Moss Construction. That company was doing real work for the city (building a police station), so the criminals did their homework. They also had documentation and forms used by vendors of local government that further added to their appearance of legitimacy. Further complicating things for law enforcement, once the bill was paid, the money went to legitimate accounts of other victims of the criminal network (these victims were allegedly in a con involving romance/fake dating relationships).
However, this story ends on the right note — red flags went up when the funds hit the financial institution in question.
Banks became the hero in this story.
They saw the transactions, tagged them as suspicious, froze the funds, and returned them to the city. The highly complex nature of this crime suggests a large network of hackers is involved in falsifying the documents, entangling other victims, and launching fake invoices. It is not just Ft. Lauderdale that was a victim; the City of Tallahassee had something similar happen, although details are scarce.
In the Tallahassee saga, there does not appear to be a happy ending.
A report from the Tallahassee Democrat this week said that $1 million was indeed sent to someone impersonating a city vendor; that money is gone.
What does this mean for you and me? Expect fraudvoice to land on your doorstep this year.
Once hackers stop working over the cities and municipalities, they will move to the private sector with even more gusto. Tech giants now know what to look for, so they will move to smaller fish. So make sure your checks and balances regarding accounts payable are in order and avoid interception at all costs.
Estimates say this type of crime has already targeted thousands of smaller companies.
This Spring, three Florida men were charged with running a fake invoice scheme focusing on the cleaning products industry. These criminals do not look to have put in the time as the construction company fraud, they appear to have made up fake companies and sent invoices for products which some people paid. According to the New York Daily Record, over 3 million were collected by hundreds of victims.
This type of crime is part of a new reality of the vicious tech hacking landscape we all must navigate. Once again, it is time to prepare and ensure your team members are not caught off guard.
Check every box on defensive tools, protocols, and training, and make sure you are protected. I spoke with a client just last week who caught a fake wire fraud attempt by having a process in place to call management before wiring funds.
This process prevented a massive headache for them (and a six-figure payday for hackers).
The list of cyber threats is getting pretty long.
There are ransomware, malware, romance schemes, gift card cons, smishing, phishing, text scams, deepfake videos, fake invoices, and many others, like the incident that just hit the Florida Department of Health.
Knowing is half the battle (yes, I just quoted the GI Joe cartoon from the 80s).
So, shore up your defenses and remember — if you fall victim to this type of crime, you will be paying the price for a long time (and the invoice, too).
