When people hear “cyberattack,” they often picture hackers writing advanced code or breaking into servers. But the reality is often much simpler — and scarier.
Between 2013 and 2015, a single attacker from Lithuania managed to trick Google and Facebook into wiring him more than $100 million. He didn’t use malware or zero-day exploits. He used emails.
How the Attack Worked
- Impersonation of a Trusted Vendor
The hacker named Evaldas Rimasauskas set up a fake company that looked almost identical to a real hardware supplier both Google and Facebook worked with. This included forging contracts, invoices, and using lookalike email addresses. - Well-Crafted Invoices
The invoices were highly detailed and professional, matching the style and format of the real supplier. To the employees in the finance department, nothing seemed unusual. - Exploiting Human Trust
The attacker relied on one thing: employees are busy, and finance teams often process dozens (or hundreds) of payments each week. A single unchecked invoice could slip through — and many did.
Why It Worked
- Trust in routine processes: Employees trusted that invoices from known vendors were legitimate.
- Volume of work: High workloads made deep checks less likely.
- No obvious technical red flags: The emails didn’t contain malware or malicious links, so they didn’t trigger security tools.
- Social engineering: The attacker mimicked normal business behavior, making the scam invisible in plain sight.
The Consequences
Over the course of two years, more than $100 million was wired to the attacker’s accounts. While much of the money was eventually recovered, the case shook the tech industry.
It revealed a major truth: even the largest, most secure companies in the world can be vulnerable to simple phishing tactics.
Key Lessons for Businesses
- Verification Is Essential
Any unusual or large payment request should be confirmed through a second channel (phone call, secure messaging, or internal system). - Employee Training Matters
Technical defenses can’t catch everything. Staff awareness is often the first line of defense. - Processes Beat Panic
A clear policy for handling invoices, urgent requests, and banking detail changes can prevent costly mistakes. - Attackers Don’t Always Hack Computers — They Hack People
Cybersecurity isn’t just about firewalls and software. It’s about understanding human behavior and protecting against manipulation.
Final Thought
The $100 million Google and Facebook scam proves that no company is “too big” or “too smart” to be tricked. In fact, attackers often prefer big targets because the rewards are higher.
Phishing doesn’t need to be sophisticated to be effective. Sometimes, the most dangerous attacks are the ones that look ordinary.