Scammer steals $1.5 million from Baltimore by spoofing city vendor

The City of Baltimore made more than $1.5 million in fraudulent payments to a scammer who successfully spoofed a vendor and tricked city employees into changing the contractor’s bank account information, the city’s inspector general said. 

In a post mortem of the incident, Baltimore Inspector General Isabel Mercedes Cumming said the city’s accounts payable department had failed to implement corrective measures after previous incidents of fraud and did not have proper protections in place to verify supplier details. 

In December 2024, the fraudster submitted a supplier contact form using the name of a legitimate company employee to gain access to the vendor’s Workday account. The person the fraudster was impersonating did not have access to the company’s financials, and the email they provided was not a company-issued address. Nevertheless, an employee within accounts payable did not contact the vendor to confirm the person’s identity. 

The fraudster submitted multiple requests to change the linked bank account in Workday, which was approved by two employees. In February and March, Baltimore’s accounts payable made two payments — of more than $800,000 and $721,000 — to the purported vendor, which they discovered may have been fraudulent after the recipient’s bank informed them of suspicious activity. The city was able to retrieve the smaller payment. 

The vendor scam is at least the third to hit Baltimore’s city government since 2019. In 2022, a payment from the Mayor’s Office of Children and Family Success of more than $376,213 ended up in a scammer’s account after the fraudster convinced the city’s finance department to change account details. Three years earlier, $62,377 was sent to a fraudulent account after changes were made to a vendor’s information. 

According to an inspector general report on the 2022 incident, the city’s finance director said new policies had been instituted after the incident requiring the department’s employees to “independently verify bank changes with an executive-level employee from the requesting vendor.” 

In a written response to the most recent report, Accounts Payable Director Timothy Goldsby, Jr. said that prior controls “were not fully institutionalized” before the office moved from the Department of Finance to the Office of the Comptroller in January 2023. 

“AP concurs with the Inspector General's assessment that the incident was enabled by vulnerabilities in verification procedures and insufficient supplier account safeguards,” he wrote. 

He said in the wake of the incident the department is revising its operating procedure for supplier contact and banking updates and requiring cross-verification for any banking changes. They are also increasing safeguards within Workday, including creating a restricted user role to make sensitive changes to accounts and expanded training for staff to detect social engineering. 

Baltimore has experienced a handful of impactful cyber incidents, including a ransomware attack in 2019 that caused an estimated $19 million in damage and affected services for months.