$100 million whaling scam: A “wake up call” for even the most sophisticated firms.

Penetration Testing Experts


Last month, the papers reported that two major US technology firms were deceived by Evaldas Rimasauskas, a Lithuanian criminal, into sending him $100 million through an email whaling scam.

It has just been confirmed that Google and Facebook were the two companies that were the victims of this scam.  The two companies did not confirm how much money was transferred and recouped, but apparently most of the funds have been recovered for both companies.

What is whaling?

Whaling is a form of social engineering fraud in which criminals trick financial departments at large corporations into paying money into the wrong bank accounts.

Amazingly, Mr Rimasauskas defrauded both companies from at least 2013 up to 2015 by pretending to be Quanta Computer Inc, based in Taiwan. Quanta is a supplier of servers and other hardware to major technology companies.

How did Rimasauskus set up the sting?

Rimasauskas set up bank accounts in the same name as Quanta Computer Inc, that was involved in legitimate business with the victim companies.

The whaling sting involved him sending emails, forged invoices, contracts and letters with false Quanta Computer Inc stamps to Google and Facebook, who then passed them onto their banks – and the banks paid the stolen monies into falsely named bank accounts set up by Rimasauskas. He then attempted to camouflage the money trail by wiring the cash through accounts in many different countries such as Latvia, Cyprus, Slovakia and Hong Kong.

Remember he did this for around three years. And he stole over $100 million.

How was he caught?

He left “footprints” that finally led to his arrest. FBI assistant director William F Sweeney Jr. said: “As alleged, Evaldas Rimasauskas carried out a business email compromise scheme creatively targeting two very specific victim companies. He was initially successful, acquiring over $100 million in proceeds that he wired to various bank accounts worldwide. But his footprint would eventually lead investigators to the truth, and today we expose his lies.”

In a statement on Monday to Reuters, Quanta spokeswoman Carol Hu said the company had been “impersonated” as part of the fraud. “Quanta did not suffer from any financial harm from this incident,” she added, calling the matter “unfortunate.” Slight understatement!

Rimasauskas, was arrested and charged by prosecutors in New York. The charges of wire fraud, money laundering and aggravated identity theft could carry a sentence of 20 years in prison.

A “wake up call”

On the surface, it seems such a simple criminal concept – setting up fake bank accounts in another company’s name and then waving invoices under the nose of a large company who didn’t see through the subterfuge.

The real worry is that these two huge companies fell for it.  You can imagine their embarrassment. The amount of money that Rimasauskas managed to extract from the victim companies is staggering, but it came down to the stale old cybercriminal chestnut: company representatives being tricked by fake email addresses and forged corporate paperwork.

As Acting US Attorney Joon Kim said, ” This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cybercriminals.”

How many, after reading the news on Monday, are now very carefully checking through their financial records for any traces of fraudulent dealings? If Google and Facebook have been defrauded, it doesn’t take too much to imagine other businesses falling foul of similar scams.

How to avoid being the victim of a phishing/waling scam

It’s the human element that is the weakest point. Businesses need to train their employees to check carefully before making any sort of decision that affects company profits. Educate your employees and conduct training sessions with mock phishing scenarios.

Keep all systems up to date with the newest security patches and updates.  Install an antivirus solution, schedule signature updates; and monitor the antivirus status on all equipment.

Make sure your business has effective policies and procedures in place – check invoices for accuracy, check that goods were received and ensure that the proper checks are in place when transferring payment electronically.

And most importantly, KEEP training these employees to alert them to the latest malware, social engineering and cybercriminal threats.  Companies need to understand how cybercriminal attacks are evolving to confirm their security policies and solutions can eliminate threats as they develop.

Properly trained employees and appropriately protected systems are crucial when protecting your company from phishing and whaling attacks.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top