The BBC is reporting that Google and Facebook have been successfully targeted in an email ‘phishing’ scam. In March, it was reported that a Lithuanian man had been charged after managing to extract over $100m from two technology companies who were not named at the time. They have now been identified as the internet giants.
The cleverness of the scam is most likely based on it’s simplicity. The man posed as a representative of an Asian manufacturing company who is known to service both Google and Facebook, creating authentic looking invoices, and playing the long game – targeting smaller amounts, and operating successfully for two full years before being found out. Because the amounts were low, automatic sign-off levels were likely used without any senior authorisation being required. Combined with the fact that the Asian business in question does a lot of work for both Google and Facebook, most of the invoices will likely lost in the pile of other invoices, and any that needed basic questioning may have been just paid to avoid complications.
The big lesson for business, is the importance of educating staff at all levels on phishing techniques, and how to recognise and avoid them. These scams rely on staff not being aware that their responsibilities go beyond signing at the bottom of a form or clicking to approve an invoice. Often, managers think that any invoice that appears on their desk is legitimate, and it’s their job to keep the process moving or hold vendors to account for work done, not to check the authenticity of an invoice. However, a crucial element of avoiding scams such as this one is to ensure executives are doing random audits on invoices, and ensuring safety measures, such as verifying payment details, and adding levels to the authorisation process, are in place.
While there is the potential of human error, scams like this will remain common and it will be up to businesses to put robust checks and measures in place to ensure the likelihood of paying money without owing it, is minimal.