Evaldas Rimasauskas from Lithuania was sentenced in Manhattan court for an elaborate invoicing scam that cost Facebook and Google $122 million.

Rimasauskas sent these large US companies fake invoices using spoofed email addresses that were so convincing, seemingly from a lawful company Quanta Computer Inc, from Taiwan, that they paid him a vast sum of money between 2013 and 2015. Facebook is reported to have paid him $99 million while he managed to con Google out of $23 million.

In 2017 when Rimasauskas was first arrested, the two companies were unknown and only identified as “Victim 1” and “Victim 2”. Even during the trial, the names were not officially released but Reuters managed to get hold of a Lithuanian court order after which both companies released statements:

Google:

“We detected this fraud against our vendor management team and promptly alerted the authorities. We recouped the funds and we’re pleased this matter is resolved.”

Facebook:

“Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation. We are confident that we have the proper controls in place to prevent such attacks in the future.”

Rimasauskas was arrested on charges described as Business Email Compromise (BEC) – also known as “whaling” which is when phishing attacks are aimed at very senior members of the organizations. He also pleaded guilty to charges of fraud, identity theft and money laundering.

He came off lightly with a sentence of five years instead of the 20 he could have been handed. He will serve an added two years of supervised release and has to pay restitution of $26,5 million. In addition, he will forfeit $49.7 million.

The FBI published that email account scams explicate 166,000 incidents globally over the last three years with $26,201,775,589 in exposed dollar loss.