The City of Baltimore, which was scammed out of hundreds of thousands of dollars in two incidents in 2019 and 2022 in fraudulent vendor schemes, was hit with a similar attack earlier this year when a bad actor took it for more than $1.5 million.

The scammer was able to spoof a vendor, access the vendor’s Workday account, and trick employees in the city’s Accounts Payable Department to change banking details and send two payments to an account controlled by the fraudster at another financial institution, according to a recent report by Baltimore’s Office of the Inspector General (OIG).

“The investigation revealed a lack of internal policies and procedures in AP [accounts payable] regarding vendor verification,” the inspector general, Isabel Mercedes Cummings, wrote in the report, adding that “the internal controls established as the result of the form OIG investigations [from 2019 and 2022] were not being utilized at the time of these incidents.”

Cummings’ investigation found that between February and March, accounts payable employees issued two EFT payments totaling more than $1.52 million – $803,384.44 in one and $721,236.60 in the other – into the fraudster’s accounts. The city was tipped off to the scam by city’s bank, which contacted Baltimore’s Finance Department following a call from the scammer’s bank about possible fraud.

The city was able to retrieve the smaller amount, but has yet to recover the larger amount from the scammer’s bank, according to the OIG report, which said that the Accounts Payable Department filed an insurance claim related to the larger payment and reissued payments for both EFT transactions to the unnamed legitimate vendor that was spoofed.

The Ongoing BEC Threat

The fraud had the hallmarks of a Business Email Compromise (BEC) scam and was helped by lax verification processes in the Accounts Payable Department.

Bad actors for years have been pushing BEC scams, which can return huge payoffs for them. In the FBI’s annual Internet Crime Complaint Center (IC3) report released in April, the bulk of the $16.6 billion lost to internet cybercrime in 2024 came from fraud. That includes BEC, which while the seventh most reported crime in the report, it caused $2.8 billion in losses, second most on the list. Between 2022 and 2024, BEC resulted in $8.5 billion in losses, the report found.

The use of AI by threat groups is making it an even larger threat.

“BEC remains a major scourge,” cybersecurity firm VIpre Security Group wrote. “Nearly half (49%) of all detected spam emails are attributed to BEC scams, with the CEO, followed by HR and IT, being the most common targets. It takes on a more sinister complexion when a full 40% of the BEC emails uncovered were AI-generated, and in some instances, AI likely created the entire message.

The OIG report detailed what happened in Baltimore. It said that on December 9, 2024, the scammer submitted a supplier contract form to access the vendor’s Workday account. The name on the supplier form matched that of an employee with the vendor, though the vendor’s president confirmed that the employee spoofed by the attacker didn’t have a role in the company’s financials and the email given on the form was the not the employee’s company-issue email address.

An Attack and Mistakes

Two days later, an Accounts Payable employee reviewed and approved the fraudulent contract form even though some of the information on the form was incorrect. When speaking with the OIG, the employee said that such steps as contacting the vendor or verifying email addresses was not part of the department’s protocol.

The same day, the fraudster tried several times to change the vendor’s bank to their own, including submitting a voided check – which later was determined to be fake – and a bank account change request. They submitted another bank about change request January 7, and three days later another two Accounts Payable employee approved it. The change to of bank accounts was made February 19.

The first – and larger – payment was sent to the scammer’s account two days later, with the second one following March 10.

The city’s comptroller, Bill Henry, in a response to the OIG’s report said the Accounts Payable Department agreed with the findings, writing that the “incident was enabled by vulnerabilities in verification procedures and insufficient supplier account safeguards.”

Henry also noted that the internal controls that the OIG had recommended following the previous two incidents were not fully put in place before the Accounts Payable Department was moved from the Finance Department to the Comptroller’s Office in January 2023.

Other Scams

In the earlier scams, the city in 2019 lost $62,377 in a payment to a fraudulent account – again – after scammers duped city employees to make changes to a vendor’s information and then, in 2022, sent a payment of more than $376,213 from the Mayor’s Office of Children and Family Success to a fraudulent account.

A working group that included several other city agencies came up with immediate and longer-term procedural improvements, including new processes for changes to supplier contact and banking information and mandatory cross-verification with supplier contracts for all banking changes.

Safeguards and Improvements

Workday safeguards include restricted user authorizations for initiating sensitive updates to supplier profile, automated email alerts, and a 48-hour delay and layered reviews for approving and making accounts changes. In addition, there are now alerts for unusual activity in supplier profiles.

Other enhancements including more training for Accounts Payable employees on fraud detection and social engineering and daily monitoring of supplier activity in Workday to detect anomalies.

The comptroller informed the OIG after the investigation that new policies for internal review processes were implemented.