More than $1.5 million had been stolen from the City of Baltimore in a fraudulent scheme involving the impersonation of a legitimate city vendor, according to The Record, a news site by cybersecurity firm Recorded Future.
Illicit activity commenced in December, when the attacker used a legitimate company employee's name in a supplier contact form submission meant to compromise the vendor's Workday account. Subsequent requests to change the contractor's bank account details were then approved by the city's employees, allowing the delivery of over $800,000 and $721,000 to the attacker-controlled account.
Only the latter payment was recovered by the city, according to Baltimore Inspector General Isabel Mercedes Cumming, who noted the failure of the city's accounts payable department to adopt necessary safeguards following vendor scams in 2019 and 2022.
"AP concurs with the Inspector General's assessment that the incident was enabled by vulnerabilities in verification procedures and insufficient supplier account safeguards," said Accounts Payable Director Timothy Goldsby, Jr.
Illicit activity commenced in December, when the attacker used a legitimate company employee's name in a supplier contact form submission meant to compromise the vendor's Workday account. Subsequent requests to change the contractor's bank account details were then approved by the city's employees, allowing the delivery of over $800,000 and $721,000 to the attacker-controlled account.
Only the latter payment was recovered by the city, according to Baltimore Inspector General Isabel Mercedes Cumming, who noted the failure of the city's accounts payable department to adopt necessary safeguards following vendor scams in 2019 and 2022.
"AP concurs with the Inspector General's assessment that the incident was enabled by vulnerabilities in verification procedures and insufficient supplier account safeguards," said Accounts Payable Director Timothy Goldsby, Jr.




