Pierluigi Paganini
September 01, 2025
A scammer stole over $1.5M from Baltimore city by spoofing a vendor and convincing staff to alter bank details, which appears to be a classic Business Email Compromise (BEC) attack.
Between February and March 2025, the city’s Department of Accounts Payable (AP) completed two EFT payments totaling $1,524,621.04 to a bank account not associated with or authorized by the vendor. A fraudster accessed the vendor’s Workday account and redirected payments by changing the listed bank details to their own account.
“The OIG confirmed that on February 21, 2025, and March 10, 2025, AP completed two EFT payments, one for $803,384.44 and the other in the amount of $721,236.60. The total amount of fraudulent transactions amounted to $1,524,621.04.” reads the investigative report synopsis published by Isabel Mercedes, Cumming Inspector General. “The City was able to retrieve the $721,236.60 payment but at the time of this report, has been unable to recover the $803,384.44 payment from the Fraudster’s Bank. AP filed an insurance claim related to that payment, and the Vendor was reissued payments for both EFT transactions.”
The investigation revealed that in December 2024, a fraudster posed as a vendor employee using a fake email to access the vendor’s Workday account. An AP employee approved the fraudulent supplier form without proper verification, despite incorrect details. The fraudster repeatedly attempted to change the vendor’s bank details, submitting a fake voided check in January 2025. Two more AP employees later approved the fraudulent bank change request without verifying documents, enabling the scheme.
Inspector General Isabel Mercedes Cumming noted the accounts payable department lacked safeguards to verify supplier info and had failed to adopt corrective measures after prior fraud cases, leaving the city exposed. This highlights weak internal controls and insufficient fraud prevention practices within the department.
Since 2019, Baltimore has suffered two other vendor scams: $62K lost in 2019 and $376K in 2022, all due to fake bank detail changes.
In March and May 2019, the city of Baltimore was hit by two distinct ransomware attacks
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, scam)
