The City of Baltimore lost more than $1.5 million to a business email compromise (BEC) scam after a fraudster tricked employees into changing a contractor’s bank account information.
Investigators just announced that in December 2024, an unspecified attacker submitted a fraudulent supplier contact form using the name of a legitimate company employee to gain access to the vendor’s Workday account.
The impersonated individual did not have access to financial systems, and the email provided was not company-issued. Still, an accounts payable employee failed to verify the identity with the vendor.
The fraudster submitted multiple requests to switch bank account details, which were approved by two employees. Baltimore then made two payments in February and March 2025, one for $800,000 and another for $721,000. The city recovered the smaller payment after the recipient’s bank flagged suspicious activity.
This marks at least the third vendor fraud incident to strike Baltimore’s government since 2019.
Businesses of all kinds are not immune, because our municipalities and everyday interactions we have online like paying an online bill can expose users and businesses to risk.