Over the course of two years, Google and Facebook wired $100 million to an imposter as victims of a long-con phishing attack, Fortune found.
In March, the US Department of Justice published an indictment against a Lithuanian man, Evaldas Rimasauskas, for "orchestrating a fraudulent business email compromise scheme that induced two U.S.-based internet companies" to send more than $100 million to bank accounts in his control.
The thing is, the identity of those companies was never known until Fortune's report on Thursday. Both Facebook and Google confirmed they were involved.
"Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation," a company spokesperson told CNET.
"We detected this fraud against our vendor management team," said a Google spokesperson, "And promptly alerted the authorities. We recouped the funds and we're pleased this matter is resolved."
How did it allegedly happen? Rimasauskas is said to have forged invoices, emails and stamps posing as Quanta Computer, a Taiwanese manufacturer with a client list that includes Apple and Amazon. Google's and Facebook's accounting departments reportedly paid up before catching wise.
Rimasauskas, who's currently awaiting extradition and hasn't yet been tried, denies the allegations, according to Fortune.
"This case should serve as a wake-up call to all companies," Acting U.S. Attorney Joon H. Kim said last month, "Even the most sophisticated -- that they too can be victims of phishing attacks by cybercriminals."