Accounts payable fraud is fooling even the largest companies
By now you may have heard about Evaldas Rimasauskas, the Lithuanian man who pleaded guilty in March of this year to scamming Facebook and Google out of more than $100 million. Impersonating a company with whom both tech giants do business, Rimasauskas sent fake phishing emails containing forged invoices and convinced the companies to wire funds to bank accounts he controlled.
The U.S. Department of Justice portrayed the crime as a fraudulent business email compromise (BEC) attack, but it’s worth noting that the victims aren’t small mom-and-pop businesses—they’re sophisticated, well-established companies with mature business processes and state-of-the-art procurement and ERP systems. So why did they fall for this scheme?
Criminals can take advantage of common “best-in-class” accounts payable (AP) processes and practices. But you can avoid falling victim to a similar hoax.
From 2013 to 2015, Rimasauskas orchestrated a combined phishing and invoice scheme targeting Google and Facebook, who confirmed to NPR that they were the companies referred to by the DOJ as “a multinational technology company” and “a multinational online social media company.”
According to the 2016 indictment filed in the U.S. attorney’s office, Rimasauskas registered and incorporated a company with the same name as Taiwan-based electronics manufacturer Quanta Computer, which supplies computer hardware to major tech companies. He then proceeded to open bank accounts in the company’s name in Cyprus and Latvia.
Next, he sent fake emails and invoices to Facebook and Google and directed unsuspecting employees to wire payments to the fraudulent bank accounts that he controlled. And from those bank accounts in Latvia and Cyprus, Rimasauskas laundered the funds by quickly wiring the money into accounts not only in Latvia and Cyprus, but in Slovakia, Lithuania, Hungary and Hong Kong.
Using a fairly common phishing practice, Rimasauskas and his co-conspirators sent spoofed emails—emails designed to look like they came from Quanta accounts—to the companies’ AP departments. Many companies only require vendors to email their invoices to an accounts payable email address; there aren’t any checks in place to ensure that those invoices are coming from a legitimate vendor.
As a part of their internal financial controls, most companies require business users to approve invoices. In this case, the approvers were most likely familiar with Quanta and the types of purchases they usually made from them, so they probably had no reason to question the invoices.
It’s not clear from the indictment or news reports how the criminals knew valid purchase order numbers, SKU numbers, pricing, terms, invoice formats or other information for not one but two major companies. One assumption we could make is that they had insider information of some sort from Quanta and therefore could produce invoices with the right PO and line-item information on them.
Why didn’t Facebook and Google realize that the bank accounts to which they were asked to wire money weren’t the same as the Asia-based Quanta accounts on record? The scammers used correspondent banks in New York and other cities, no doubt realizing that a request to wire funds to Latvia might have aroused suspicion.
As some observers have pointed out, the idea that Rimasauskas “just asked the companies for money” sells short the scheme’s high level of sophistication. In addition to being a talented forger, he clearly had in-depth knowledge of big companies’ internal finance operations. Companies like Facebook and Google use advanced invoice and contract management software and follow industry-standard practices such as the three-way match, which verifies price and unit numbers across purchases, invoices, and receipts.
The fact that Rimasauskas was able to skirt these controls indicates that standards like the three-way match may no longer be enough to reconcile documents and prevent overpayments—or outright fraud.
If the sophistication of Rimasauskas’ scheme was able to defeat the best-in-class procurement system and AP process of a Facebook or Google, what hope do companies have for detecting and stopping overpayments? Here are a few strategies that can work.
The problem with emailed invoices is that they must either be keyed in manually by AP staff or entered into invoice automation software, leaving you exposed to errors or scams. When it comes to preventing phishing scams, electronic invoicing through electronic exchange like XML is a much better option than invoices that are emailed as attachments or even sent by snail mail. You may not be able to control what vendors send to you; however, by putting the right controls and technology in place, you can quickly detect fraudulent invoices before they’re paid.
A vendor request to add or change a bank account should always require a confirmation phone call or other human verification.
Purchase orders serve an important function—they verify that approved funding is in place—but they don’t confirm whether goods or services are actually received. For inventory items, a good receipt in the warehouse works as part of the PO matching process, but for non-inventory items such as services, procurement systems rely on human requestors to perform a goods receipt or provide approval to fulfill the control of a three-way match.
The problem is that in large organizations (or even smaller ones), it’s impossible for business approvers to accurately determine if every product or service was received as ordered or contracted. As a result, they often rely on their familiarity with the product or service or their knowledge that it’s in the budget, and they end up approving invoices as a matter of routine. Unfortunately, this leaves the process open to error or fraud.
Instead of depending entirely on humans, consider a solution with AI auditing technology that can confirm receipt of products or services. AI can easily verify whether a product was indeed part of a new shipment and not referenced in previous invoices or already received.
Rimasauskas was eventually caught and extradited to the U.S. in 2017, where he was charged with wire fraud, money laundering, and identity theft, although he’s only pleaded guilty to wire fraud. He now faces up to 30 years in prison.
But even though the indictment mentions co-conspirators, Rimasauskas is the only person who has been charged with in connection the crime, meaning he’s potentially part of a larger organization lurking in cyberspace. The risk from similar swindles is growing exponentially: The FBI’s Internet Crime Complaint Center warns that BEC scams are up by 1,300% since 2015 and estimates that companies have been defrauded of more than $3 billion.