New Articles

Google and Facebook Victim of $100 Million in Accounts Payable Fraud: How It Could Have Been Prevented

Google and Facebook Victim of $100 Million in Accounts Payable Fraud: How It Could Have Been Prevented

By now you may have heard about Evaldas Rimasauskas, the Lithuanian man who pled guilty in March of this year to scamming Facebook and Google out of more than $100 million. Impersonating a company with whom both tech giants do business, Rimasauskas sent fake phishing emails containing forged invoices and convinced the companies to wire funds to bank accounts he controlled.

Business email compromise scheme

The U.S. Department of Justice portrayed the crime as a fraudulent business email compromise (BEC) attack, but it’s worth noting that the victims aren’t small mom-and-pop businesses—they’re sophisticated, well-established companies with mature business processes and state-of-the-art procurement and ERP systems. So why did they fall for this scheme?

Let’s take a look at how the criminals took advantage of common “best-in-class” accounts payable (AP) processes and practices. And more importantly, let’s look at how you can avoid falling victim to a similar hoax.

A sophisticated phishing scam

From 2013 to 2015, Rimasauskas orchestrated a combined phishing and invoice scheme targeting Google and Facebook, who confirmed to NPR that they were the companies referred to by the DOJ as “a multinational technology company” and “a multinational online social media company.”

According to the 2016 indictment filed in the U.S. attorney’s office, Rimasauskas registered and incorporated a company with the same name as Taiwan-based electronics manufacturer Quanta Computer, which supplies computer hardware to major tech companies. He then proceeded to open bank accounts in the company’s name in Cyprus and Latvia.

Next, he sent fake emails and invoices to Facebook and Google and directed unsuspecting employees to wire payments to the fraudulent bank accounts that he controlled. And from those bank accounts in Latvia and Cyprus, Rimasauskas laundered the funds by quickly wiring the money into accounts not only in Latvia and Cyprus, but in Slovakia, Lithuania, Hungary and Hong Kong.

How were the employees fooled by the fake invoices?

Using a fairly common phishing practice, Rimasauskas and his co-conspirators sent spoofed emails—emails designed to look like they came from Quanta accounts—to the companies’ AP departments. Many companies only require vendors to email their invoices to an accounts payable  email address; there aren’t any checks in place to ensure that those invoices are coming from a legitimate vendor.

But shouldn’t a human have approved the payment?

As a part of their internal financial controls, most companies require business users to approve invoices. In this case, the approvers were most likely familiar with Quanta and the types of purchases they usually made from them, so they probably had no reason to question the invoices.

Weren’t there purchase orders that the invoices should have matched before they were approved and released for payment?

Yes. It’s not clear from the indictment or news reports how the criminals knew valid P.O. numbers, SKU numbers, pricing, terms, invoice formats or other information for not one but two major companies. One assumption we could make is that they had insider information of some sort from Quanta and therefore could produce invoices with the right PO and line-item information on them.

Why didn’t Facebook and Google realize that the bank accounts to which they were asked to wire money weren’t the same as the Asia-based Quanta accounts on record?

The scammers used correspondent banks in New York and other cities, no doubt realizing that a request to wire funds to Latvia might have aroused suspicion.

How were the companies fooled into transferring such large sums of money?

As some observers have pointed out, the idea that Rimasauskas “just asked the companies for money” sells short the scheme’s high level of sophistication. In addition to being a talented forger, he clearly had in-depth knowledge of big companies’ internal finance operations. Companies like Facebook and Google use advanced invoice and contract management software and follow industry-standard practices such as the three-way match, which verifies price and unit numbers across purchases, invoices, and receipts.

The fact that Rimasauskas was able to skirt these controls indicates that standards like the three-way match may no longer be enough to reconcile documents and prevent overpayments—or outright fraud.  

How your organization can prevent invoice fraud

If the sophistication of Rimasauskas’ scheme was able to defeat the best-in-class procurement system and AP process of a Facebook or Google, what hope do companies have for detecting and stopping overpayments? Here are a few strategies that can work.

Use true electronic invoicing with B2B integration

The problem with emailed invoices is that they must either be keyed in manually by AP staff or entered into invoice automation software, leaving you exposed to errors or scams. When it comes to preventing phishing scams, electronic invoicing through electronic exchange like XML is a much better option than invoices that are emailed as attachments or even sent by snail mail. You may not be able to control what vendors send to you; however, by putting the right controls and technology in place, you can quickly detect fraudulent invoices before they’re paid.

Add controls to verify bank account activity

A vendor request to add or change a bank account should always require a confirmation phone call or other human verification. Solutions like AppZen use AI and data augmentation techniques to detect suspicious activity even when such requests are made electronically.

Require more than a P.O. number; verify work activity or product fulfillment

Purchase orders serve an important function—they verify that approved funding is in place—but they don’t confirm whether goods or services are actually received. For inventory items, a good receipt in the warehouse works as part of the P.O. matching process, but for non-inventory items such as services, procurement systems rely on human requestors to perform a goods receipt or provide approval to fulfill the control of a three-way match.

The problem is that in large organizations (or even smaller ones), it’s impossible for business approvers to accurately determine if every product or service was received as ordered or contracted. As a result, they often rely on their familiarity with the product or service or their knowledge that it’s in the budget, and they end up approving invoices as a matter of routine. Unfortunately, this leaves the process open to error or fraud.

Instead of depending entirely on humans, consider a solution with AI auditing technology that can confirm that receipt of products or services. For example, AppZen can look at unstructured data like ticketing systems, badge data, network logins, and tracking numbers. AI can easily verify whether a product was indeed part of a new shipment and not referenced in previous invoices or already received. Our AI can spot discrepancies and duplicate transactions and to recognize invoice patterns that humans can’t easily see, alerting business approvers if it detects a risk so they can make informed decisions.

Scammer now behind bars—but more are out there

Rimasauskas was eventually caught and extradited to the United States in 2017, where he was charged with wire fraud, money laundering, and identity theft, although he’s only pleaded guilty to wire fraud. He now faces up to 30 years in prison.

“Rimasauskas thought he could hide behind a computer screen halfway across the world while he conducted his fraudulent scheme,” said U.S. Attorney Geoffrey Berman in a statement, “but as he has learned, the arms of American justice are long, and he now faces significant time in a U.S. prison.”

But even though the indictment mentions co-conspirators, Rimasauskas is the only person who has been charged with in connection the crime, meaning he’s potentially part of a larger organization lurking in cyberspace. The risk from similar swindles is growing exponentially: The FBI’s Internet Crime Complaint Center warns that BEC scams are up by 1,300% since 2015 and estimates that companies have been defrauded of more than $3 billion.

Reviewing every invoice you receive is critical if you want to protect your company from falling victim to scams like the one that targeted Facebook and Google. With AppZen’s AI platform, you can audit 100% of your invoices before you pay them, flagging only high-risk spend like errors or fraud for manual review.

Anant Kale is the Co-Founder and CEO of AppZen where he’s passionate about helping companies audit every dollar of spend with artificial intelligence.  As CEO he is responsible for the product vision and execution of the company’s broad mission. Previously he was the VP of Applications at Fujitsu America from 2009-2012, responsible for product management, and delivery of Fujitsu’s applications and infrastructure for enterprise. He has 15+ years of experience in software development. He has an MBA and a BS in Finance and Engineering from Mumbai University.

Three Expense Policies You Should Consider Revisiting

“Are you reallygoing to reject that expense report because of that?” We ask our customers this question all the time — and guess what, they usually say “Nope.” They’re just adhering to their company’s travel and expense (T&E) policy without really considering the context of the expense. Many T&E policies we’ve seen are outdated. More often than not, these policies were either put in place when the company only had a handful of employees traveling or they were based on industry standards that haven’t been revised in over a decade. With business travel on the rise, it isn’t just the overall reimbursement amount that has increased, but also an increased burden on employers to audit these expenses.

From our experience implementing our AI-powered expense audit solution for over 1,000 companies, we’ve identified three expense policies your company should seriously consider revisiting.

‍Don’t be too strict on meal spend

$10 limit for breakfast, $15 for lunch, and $25 for dinner – this is the standard policy most companies have around meal expenses, but how often do auditors truly follow this? It’s becoming increasingly common for auditors to approve expense reports that don’t stick to these strict guidelines, as long as employees don’t go over the overall daily limit of say, $100. We recommend setting an overall daily meal limit or per diem rather than a meal-based one. This change will ensure that your auditors are paying attention to the expense reports of employees whose behavior they actually want to address, rather than focusing on someone who spent $5 extra on lunch, for example.  

Give your employees more time

T&E policies usually require expenses to be submitted for reimbursement within 90 days of incurring the expense. Let’s say an employee submits a receipt that’s older than 90 days. It’s likely that this expense just slipped the employee’s mind or they just found it while cleaning out their suitcase. Are your auditors really going to go through the trouble of asking the employee why they didn’t submit the receipt earlier? Probably not. There are various reasons for delayed submission, but usually, the employee is given the benefit of the doubt. We recommend increasing the permitted expense age to 180 days to give employees more time to submit their expense reports and decrease any potential back-and-forth between employees and auditors.

‍It’s okay to enjoy a glass of wine once in a while

Sure, no one wants their employees getting drunk on the company dime, but it isn’t uncommon for employees to sip a glass of wine at dinner – especially when they are traveling on business, away from their families, and eating all by themselves in the hotel lobby. Okay, I didn’t mean to paint such a dampening picture, but it’s quite true! Expecting companies to pay for a drink used to be a complete no-no in the business world, but today, companies are more flexible about alcohol. So, either allow it up to a certain dollar amount, say $100, or track an employee’s behavioral trends over time without interrupting the reimbursement process.

Those are just a few of the ways you can change your expense policy to help reduce the stress on both your auditors and your employees. For more ideas on how to best structure a T&E policy that promotes a healthy expense culture, download our whitepaper.

Cauvery Mallangada is an Implementations Manager at AppZen, the world’s leading solution for automated expense report audits that leverages artificial intelligence to audit 100% of expense reports, invoices and contacts in seconds.

Why is there so little expense report misconduct in China?

Recently, I wrote a data-driven piece revealing which countries are home to the most expensive report misconduct. Several of the results were extremely interesting, but the most fascinating piece of data was redacted because it needed to be looked into more thoroughly.

That data point was this: only 1% of expense report items flagged for review by leading automated expense report audits AI software, AppZen in China are ultimately rejected by the client company.

This 1% figure sits at the very bottom of the international list; no other country is even close. For example, Japan, only a few hundred nautical miles away across the East China Sea, ranks in the bottom half of flagged expense dollars rejected, with a much more robust 18%. Here’s the data from the last blog post, but with China put back in.

So what are the explanations for this oddly-low Chinese rejection rate? The answers are somewhat dubious and connect to transfers of wealth. 

Like most nations, China has its unique accounting complexities and one example is the country’s Fapiao system, in which receipts and invoices are actual official tax documents printed on the spot. The goal of Fapiao was to create a transparent system spitting out real-time tax documents at points of purchase across the country, but that hasn’t stopped enterprising folks from coming up with schemes to take advantage of it. 

For example, imagine taking 40 expo guests to dinner after a conference. In America, the hosting employee would simply receive a receipt for the pricey dinner which he would then expense for reimbursement upon returning from the trip. The company submits that receipt as part of its tax return at the end of the year.

Now let’s say some out-of-policy behavior takes place at this dinner; maybe the host employee decided to order several $200 bottles of wine, easily exceeding the $50 bottle company policy limit. AppZen would catch the out-of-policy misconduct on the expense report in this example. 

But in China, Fapiao are actual tax documents and business-related expenses are sometimes used to offset revenue, which allow companies to bring down their corporate income tax. Accordingly, managers subtly encourage their staff to collect Fapiao, and turn the other cheek instead of scrutinizing the documents.

In other words, Chinese corporations can lower their tax bills by indirectly transferring a fraction of those funds to employees via liberal unwritten expense report oversight thereby making them happier, at the expense of The Party’s tax revenue.

The less cynical explanation picks up the same thread of employee satisfaction without looping in Fapiao: the Chinese are, in general terms, lax in their enforcement around expenses; they turn a blind eye to most expense ambiguity to help incrementally raise employee take-home pay. In other words just as Silicon Valley companies are happy to supply their employees with millions of dollars in free meals and snacks at the office to supplement incomes, many Chinese companies are similarly, indirectly liberal outside the office, around expenses.

Either way, the title of this article is somewhat misleading. The Chinese have an average number of expense items flagged for potential conduct by AppZen relative to other countries. The difference is that Chinese companies are choosing to reject these flagged expenses at an unusually-low rate of 1%. The reasons for this are Fapiao loopholes and cultural norms around allowing employees liberties with their work expenses. 

Josh Anish is Senior Directing of Marketing at AppZen,the world’s leading solution for automated expense report audits that leverages artificial intelligence to audit 100% of expense reports, invoices and contacts in seconds.