Lithuanian man tricks Facebook and Google into paying $176 million worth of fake invoices

Facebook and Google were defrauded out of US$99m and US$23m respectively. Photo / AP

A Lithuanian scammer tricked Facebook and Google into handing over more than US$122 million ($176.5m), simply by sending them fake invoices.

Evaldas Rimasauskas faces up to 30 years in prison after pleading guilty to wire fraud in a New York court last week over the fraudulent business email scheme.

The 50-year-old Lithuanian citizen was extradited to the US in August 2017 after being arrested by Lithuanian authorities in March that year.

"As Evaldas Rimasauskas admitted today, he devised a blatant scheme to fleece US companies out of US$100 million, and then siphoned those funds to bank accounts around the globe," Manhattan US attorney Geoffrey S. Berman said in a statement.

"Rimasauskas thought he could hide behind a computer screen halfway across the world while he conducted his fraudulent scheme, but as he has learned, the arms of American justice are long, and he now faces significant time in a US prison."

The victim companies, while not named in the indictment, have been identified in earlier media reports as Google and Facebook, which were defrauded out of US$23m and US$99m respectively.

Between 2013 and 2015, Rimasauskas targeted employees at the two companies with phishing emails designed to look like invoices from major Asian hardware manufacturer Quanta Computer Inc., with which they "regularly conducted multimillion-dollar transactions".

Rimasauskas registered and incorporated a company in Latvia with the same name and used it to open bank accounts in Latvia and Cyprus. His emails "purported to be from employees and agents" of Quanta Computer and "were sent from email accounts designed to create the false appearance" of being legitimate.

As soon as the money was wired into his bank accounts, Rimasauskas quickly transferred the funds to different bank accounts around the world including Latvia, Cyprus, Slovakia, Lithuania, Hungary and Hong Kong.

He also forged invoices, contracts and letters that appeared to have been executed and signed by Facebook and Google employees to convince the banks to transfer the large volumes of funds.

As part of his guilty plea, Rimasauskas has agreed to forfeit just under US$50m, "representing the amount of proceeds traceable to the commission of the offence". It's not clear what has happened to the other US$72m.

A Facebook spokesman said: "Facebook recovered the bulk of the funds shortly after the incident and has been co-operating with law enforcement in its investigation."

A Google spokesperson said: "We detected this fraud and promptly alerted the authorities. We recouped the funds, and we're pleased this matter is resolved."