Lesson 2.1

The Attacker's Playbook

8 minutes

Between 2013 and 2015, a Lithuanian man named Evaldas Rimasauskas registered a company in Latvia with the same name as Quanta Computer, a real Taiwanese hardware supplier to major tech firms. He then sent forged invoices, contracts, and letters bearing fabricated corporate stamps to two of the biggest companies in the world. Facebook paid $99 million. Google paid $23 million. Total stolen: $122 million.

Rimasauskas was eventually extradited in 2017, pleaded guilty to wire fraud, and was sentenced to five years in prison. Both companies recovered most of the money — but most victims don’t have the legal resources of Facebook and Google.

What makes this case remarkable isn’t the sophistication of the technology. There was no malware, no hacking, no zero-day exploits. It was invoices. Fake invoices from a company with the right name. And it worked for two years.

Every phishing campaign — from a $122 million corporate fraud to a $50 gift card scam — follows the same five-step playbook. Let’s walk through it using Rimasauskas as the narrative thread.

Step 1: Research the target

Rimasauskas found that Facebook and Google both used Quanta Computer as a hardware supplier. This wasn’t classified information — it was available through public filings, press releases, and industry directories.

For mass attacks, research is minimal: buy an email list and blast messages to millions. But for targeted attacks, the attacker builds a detailed picture:

  • LinkedIn: Org chart, job titles, who reports to whom, who just started (new employees don’t know “how things work” yet), who’s leaving
  • Company website: Executive names, press releases, partnerships, vendor relationships
  • Social media: Travel schedules, personal details, conference appearances
  • Public records: SEC filings, court records, government databases
  • Past data breaches: Old passwords, personal email addresses, phone numbers from previous incidents

This is why a phishing email can reference your real project name, your real boss, and your real vendor. It’s not because the attacker has inside access. It’s because this information is almost always public.

Step 2: Build the infrastructure

Rimasauskas registered a company with the exact same name as a real supplier. The entire operation cost virtually nothing to set up.

For typical phishing attacks, the infrastructure is similarly cheap:

  • Domain registration: $2-12 for a convincing lookalike domain
  • HTTPS certificate: Free via Let’s Encrypt, set up in 2 minutes (so the padlock icon appears)
  • Phishing page: Clone a login page in minutes using freely available tools
  • Email setup: Configure sending from the new domain

According to the APWG’s 2024 data, 77% of phishing domains are purpose-registered — meaning attackers register fresh domains for their campaigns rather than compromising legitimate websites. Domains are cheap and disposable.

And the barrier to entry keeps dropping. The Phishing-as-a-Service (PhaaS) economy has exploded: Tycoon 2FA now accounts for 95% of all PhaaS events, according to Centripetal’s 2025 analysis. PhaaS kits doubled in volume by 2025. At least 145 distinct threat actors reference EvilProxy — a popular attack platform — on dark web forums. You no longer need to be a skilled hacker. You need a credit card and a Telegram account.

Step 3: Send the lure

Rimasauskas sent invoices that looked identical to Quanta Computer’s real invoices. They were professional, formatted correctly, and referenced real business relationships.

Attackers aren’t limited to email. The lure can arrive through any channel that reaches the target:

  • Email (still the most common)
  • Text message (smishing)
  • Phone call (vishing)
  • Slack or Teams message
  • LinkedIn message
  • QR code on a poster or sticker
  • Physical letter
  • Calendar invite

The channel is chosen based on what’s most likely to be trusted by the target. We’ll explore each of these channels in Module 3.

Step 4: Harvest

Rimasauskas received wire transfers into bank accounts he controlled in Latvia and Cyprus. His “harvest” was cash.

Other attackers harvest different things:

  • Credentials: Username and password captured on a fake login page
  • Session cookies: Intercepted through adversary-in-the-middle attacks, giving access without needing the password at all
  • Money: Wire transfers, gift card codes, cryptocurrency
  • Data: W-2 tax forms, client lists, trade secrets, sent by reply
  • Access: Malware installed via attachment, giving persistent control of the victim’s device

The specific harvest depends on the attacker’s goal. Some want quick cash. Others want long-term access to steal data over months.

Step 5: Cash in and expand

Rimasauskas laundered the stolen money through bank accounts across Latvia, Cyprus, and several other countries, moving it through layers of transactions designed to obscure its origin.

Typical attackers work similarly fast after a successful phish:

  • Log into compromised accounts within minutes — often before the victim even realizes what happened
  • Set up persistence — email forwarding rules, OAuth app permissions, and other mechanisms that survive password resets (more on this in Lesson 2.3)
  • Send more phishing from the compromised account — because messages from a real, trusted account are far more convincing than messages from a stranger
  • Move toward financial payout — whether that’s direct wire fraud, ransomware deployment, or data theft for sale

One successful phish often leads to dozens more. A compromised executive’s email becomes the launch pad for vendor fraud, payroll redirect, and internal phishing — all from an account that everyone trusts.

Why this matters for you

The Rimasauskas case wasn’t a technology failure. Facebook and Google had world-class security teams. The attack worked because a person received what looked like a legitimate invoice from a company with the right name, and they paid it.

The five-step playbook hasn’t changed. The tools get cheaper, the lures get better, and the channels multiply — but the structure is always the same: research, build, send, harvest, cash in.

Understanding the playbook means you know what you’re defending against. And the most important takeaway is Step 1: the attacker’s research almost always starts with information you’ve already made public.

The Rule: Everything the attacker knows about you is probably public. Act accordingly.