Image: Getty.

If you’ve ever been duped by a phishing scam, you can feel a little less stupid about it today, because you’ve been joined in that sad club by Google and Facebook.

Phishing attacks, where scammers pose as a trusted company or person via email and trick people into—for example—clicking a link, signing into a fake website, or even handing over their bank details, are a huge problem. And it works surprisingly often, particularly on older people (and senior members of Hillary Clinton’s campaign staff). But it seems even the world’s largest internet companies—organizations that have shaped the internet itself—are not immune from such attacks.

A few weeks ago, the Justice Department announced that it had arrested a Lithuanian man in connection with a phishing attack that scammed two unnamed US tech companies out of a total of $100 million. Now, an investigation by Fortune has revealed that those two companies are Facebook and Google.

Advertisement

The scam was pretty sophisticated. Between 2013 and 2015, Evaldas Rimasauskas allegedly posed as a Taiwanese parts manufacturer named Quanta—which both companies do business with—through his own company with the same name registered in Latvia. He created fake email addresses and invoices for computer supplies, convincing the companies to make transfers totaling $100 million, which he then wired to bank accounts around the world. Rimasauskas denies the charge.

Advertisement

Both Facebook and Google confirmed that they had been victims of the scam. In an email to Gizmodo, a Facebook spokesperson wrote:

Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation. We are confident that we have the proper controls in place to prevent such attacks in the future.

The spokesperson didn’t respond to our query about whether the company had implemented any new measures to stop a similar incident from happening again. Meanwhile, a Google spokesperson told Fortune, “We detected this fraud against our vendor management team and promptly alerted the authorities. We recouped the funds and we’re pleased this matter is resolved.”

Advertisement

An important twist reported by Fortune? Google and Facebook didn’t disclose this event to shareholders, which may mean they ran afoul of rules requiring them to disclose “material events.” Fortune’s sources close to the companies “suggested they had decided the Rimasauskas fraud was not material enough to require disclosure of it.” $100 million over two years sounds reasonably material to us, but what do we know?

Whether or not these companies misled their shareholders, one thing is sure: no one, whether it’s your grandma who sent over her bank details to someone from BankofAmercia dot yahoo dot com or one of the richest companies in the world, is safe from phishing.

Advertisement

[Fortune]