fbpx
PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • COVID-19
  • News
  • Events
No Result
View All Result
PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • COVID-19
  • News
  • Events
No Result
View All Result
PaymentsJournal
No Result
View All Result

Google and Facebook Victim of $100 Million in Accounts Payable Fraud: How It Could Have Been Prevented

Anant Kale by Anant Kale
May 28, 2019
in Accounts Payable, Fraud Risk and Analytics, Industry Opinions
0
6 Approaches for Thwarting Real-Time Payments Fraud:

6 Approaches for Thwarting Real-Time Payments Fraud:

13
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

By now you may have heard about Evaldas Rimasauskas, the Lithuanian man who pled guilty in March of this year to scamming Facebook and Google out of more than $100 million. Impersonating a company with whom both tech giants do business, Rimasauskas sent fake phishing emails containing forged invoices and convinced the companies to wire funds to bank accounts he controlled.

Business email compromise scheme

The U.S. Department of Justice portrayed the crime as a fraudulent business email compromise (BEC) attack, but it’s worth noting that the victims aren’t small mom-and-pop businesses—they’re sophisticated, well-established companies with mature business processes and state-of-the-art procurement and ERP systems. So why did they fall for this scheme?

Let’s take a look at how the criminals took advantage of common “best-in-class” accounts payable (AP) processes and practices. And more importantly, let’s look at how you can avoid falling victim to a similar hoax.

A sophisticated phishing scam

From 2013 to 2015, Rimasauskas orchestrated a combined phishing and invoice scheme targeting Google and Facebook, who confirmed to NPR that they were the companies referred to by the DOJ as “a multinational technology company” and “a multinational online social media company.”

According to the 2016 indictment filed in the U.S. attorney’s office, Rimasauskas registered and incorporated a company with the same name as Taiwan-based electronics manufacturer Quanta Computer, which supplies computer hardware to major tech companies. He then proceeded to open bank accounts in the company’s name in Cyprus and Latvia.

Next, he sent fake emails and invoices to Facebook and Google and directed unsuspecting employees to wire payments to the fraudulent bank accounts that he controlled. And from those bank accounts in Latvia and Cyprus, Rimasauskas laundered the funds by quickly wiring the money into accounts not only in Latvia and Cyprus, but in Slovakia, Lithuania, Hungary and Hong Kong.

How were the employees fooled by the fake invoices?

Using a fairly common phishing practice, Rimasauskas and his co-conspirators sent spoofed emails—emails designed to look like they came from Quanta accounts—to the companies’ AP departments. Many companies only require vendors to email their invoices to an accounts payable  email address; there aren’t any checks in place to ensure that those invoices are coming from a legitimate vendor.

But shouldn’t a human have approved the payment?

As a part of their internal financial controls, most companies require business users to approve invoices. In this case, the approvers were most likely familiar with Quanta and the types of purchases they usually made from them, so they probably had no reason to question the invoices.

Weren’t there purchase orders that the invoices should have matched before they were approved and released for payment?

Yes. It’s not clear from the indictment or news reports how the criminals knew valid P.O. numbers, SKU numbers, pricing, terms, invoice formats or other information for not one but two major companies. One assumption we could make is that they had insider information of some sort from Quanta and therefore could produce invoices with the right PO and line-item information on them.

Why didn’t Facebook and Google realize that the bank accounts to which they were asked to wire money weren’t the same as the Asia-based Quanta accounts on record?

The scammers used correspondent banks in New York and other cities, no doubt realizing that a request to wire funds to Latvia might have aroused suspicion.

How were the companies fooled into transferring such large sums of money?

As some observers have pointed out, the idea that Rimasauskas “just asked the companies for money” sells short the scheme’s high level of sophistication. In addition to being a talented forger, he clearly had in-depth knowledge of big companies’ internal finance operations. Companies like Facebook and Google use advanced invoice and contract management software and follow industry-standard practices such as the three-way match, which verifies price and unit numbers across purchases, invoices, and receipts.

The fact that Rimasauskas was able to skirt these controls indicates that standards like the three-way match may no longer be enough to reconcile documents and prevent overpayments—or outright fraud.

How your organization can prevent invoice fraud

If the sophistication of Rimasauskas’ scheme was able to defeat the best-in-class procurement system and AP process of a Facebook or Google, what hope do companies have for detecting and stopping overpayments? Here are a few strategies that can work.

Use true electronic invoicing with B2B integration

The problem with emailed invoices is that they must either be keyed in manually by AP staff or entered into invoice automation software, leaving you exposed to errors or scams. When it comes to preventing phishing scams, electronic invoicing through electronic exchange like XML is a much better option than invoices that are emailed as attachments or even sent by snail mail. You may not be able to control what vendors send to you; however, by putting the right controls and technology in place, you can quickly detect fraudulent invoices before they’re paid.

Add controls to verify bank account activity

‍A vendor request to add or change a bank account should always require a confirmation phone call or other human verification. Solutions like AppZen use AI and data augmentation techniques to detect suspicious activity even when such requests are made electronically.

Require more than a P.O. number; verify work activity or product fulfillment

‍Purchase orders serve an important function—they verify that approved funding is in place—but they don’t confirm whether goods or services are actually received. For inventory items, a good receipt in the warehouse works as part of the P.O. matching process, but for non-inventory items such as services, procurement systems rely on human requestors to perform a goods receipt or provide approval to fulfill the control of a three-way match.

The problem is that in large organizations (or even smaller ones), it’s impossible for business approvers to accurately determine if every product or service was received as ordered or contracted. As a result, they often rely on their familiarity with the product or service or their knowledge that it’s in the budget, and they end up approving invoices as a matter of routine. Unfortunately, this leaves the process open to error or fraud.

Instead of depending entirely on humans, consider a solution with AI auditing technology that can confirm that receipt of products or services. For example, AppZen can look at unstructured data like ticketing systems, badge data, network logins, and tracking numbers. AI can easily verify whether a product was indeed part of a new shipment and not referenced in previous invoices or already received. Our AI can spot discrepancies and duplicate transactions and to recognize invoice patterns that humans can’t easily see, alerting business approvers if it detects a risk so they can make informed decisions.

Scammer now behind bars—but more are out there

Rimasauskas was eventually caught and extradited to the United States in 2017, where he was charged with wire fraud, money laundering, and identity theft, although he’s only pleaded guilty to wire fraud. He now faces up to 30 years in prison.

“Rimasauskas thought he could hide behind a computer screen halfway across the world while he conducted his fraudulent scheme,” said U.S. Attorney Geoffrey Berman in a statement, “but as he has learned, the arms of American justice are long, and he now faces significant time in a U.S. prison.”

But even though the indictment mentions co-conspirators, Rimasauskas is the only person who has been charged with in connection the crime, meaning he’s potentially part of a larger organization lurking in cyberspace. The risk from similar swindles is growing exponentially: The FBI’s Internet Crime Complaint Center warns that BEC scams are up by 1,300% since 2015 and estimates that companies have been defrauded of more than $3 billion.

Reviewing every invoice you receive is critical if you want to protect your company from falling victim to scams like the one that targeted Facebook and Google. With AppZen’s AI platform, you can audit 100% of your invoices before you pay them, flagging only high-risk spend like errors or fraud for manual review. 

Anant Kale is the Co-Founder and CEO of AppZen where he’s passionate about helping companies audit every dollar of spend with artificial intelligence.  As CEO he is responsible for the product vision and execution of the company’s broad mission. Previously he was the VP of Applications at Fujitsu America from 2009-2012, responsible for product management, and delivery of Fujitsu’s applications and infrastructure for enterprise. He has 15+ years of experience in software development. He has an MBA and a BS in Finance and Engineering from Mumbai University.

Tags: Accounts PayableAppZenFacebookFraud Risk and AnalyticsGoogle
13
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

    Analyst Coverage, Payments Data, and News Delivered Daily
    Sign up for the PaymentsJournal Newsletter to get exclusive insight and data from Mercator Advisory Group analysts and industry professionals.

    Must Reads

    This SDK and API Toolkit Enables Developers to Build Payment Solutions

    This SDK and API Toolkit Enables Developers to Build Payment Solutions

    January 26, 2021
    Breaking Down the CFPB’s Earned Wage Access (EWA) Announcements

    Breaking Down the CFPB’s Earned Wage Access (EWA) Announcements

    January 25, 2021
    eBay’s Upgraded Approach to Payment Processing Meets the Demands of Modern Consumers

    eBay’s Upgraded Approach to Payment Processing Meets the Demands of Modern Consumers

    January 22, 2021
    It’s Time for Retailers to Offer the Best Gift of All In-Store: Digital Gift Cards

    It’s Time for Retailers to Offer the Best Gift of All In-Store: Digital Gift Cards

    January 21, 2021
    Building C-Store Customer Loyalty Programs With Relevant Rewards

    Building C-Store Customer Loyalty Programs With Relevant Rewards

    January 20, 2021
    How PayPal Achieves High Authorization Rates

    How PayPal Achieves High Authorization Rates

    January 19, 2021
    Explaining the Bill Payment Ecosystem

    Explaining the Bill Payment Ecosystem

    January 15, 2021
    QSRs Can Address Loyalty Program Shortcomings by Serving Up Better Offers

    QSRs Can Address Loyalty Program Shortcomings by Serving Up Better Offers

    January 14, 2021

    Connect With Us

    • Advertise With Us
    • About Us
    • Terms of Use
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    • Industry Opinions
    • COVID-19
    • News
    • Events

    © 2021 PaymentsJournal.com

    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Industry Opinions
    • Faster Payments
    • News
    • Jobs
    • Events
    No Result
    View All Result

    WEBINAR:
    How Digital Acceleration Will Affect The Payment Industry

    Please join us for this panel discussion on addressing the challenges to pave the way to payments innovation and profitability and gain insights on the key trends and challenges impacting the payments landscape in North America.

    REGISTER