Critical Infrastructure Security

Baltimore loses over $1.5M from cyber fraud

More than $1.5 million had been stolen from the City of Baltimore in a fraudulent scheme involving the impersonation of a legitimate city vendor, according to The Record, a news site by cybersecurity firm Recorded Future.

Illicit activity commenced in December, when the attacker used a legitimate company employee's name in a supplier contact form submission meant to compromise the vendor's Workday account. Subsequent requests to change the contractor's bank account details were then approved by the city's employees, allowing the delivery of over $800,000 and $721,000 to the attacker-controlled account.

Only the latter payment was recovered by the city, according to Baltimore Inspector General Isabel Mercedes Cumming, who noted the failure of the city's accounts payable department to adopt necessary safeguards following vendor scams in 2019 and 2022.

"AP concurs with the Inspector General's assessment that the incident was enabled by vulnerabilities in verification procedures and insufficient supplier account safeguards," said Accounts Payable Director Timothy Goldsby, Jr.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds