$15 Million Baltimore Scam Exposes Alarming Weaknesses in City’s Fraud Controls

Baltimore city recently became the victim of a sophisticated scam that drained over \$1.5 million from its accounts. This case, reminiscent of classic Business Email Compromise (BEC) attacks, underscores how cybercriminals can exploit human error and lax internal controls to achieve massive financial gains. Between February and March 2025, the city’s Department of Accounts Payable (AP) unknowingly funneled funds to a fraudster’s bank account by responding to falsified vendor banking information. The incident not only highlights the vulnerability of municipal payment systems but also serves as a cautionary tale for organizations handling large volumes of electronic transactions.

The Scam Uncovered

An investigation revealed that a scammer impersonated a legitimate vendor and gained access to the vendor’s Workday account in December 2024. By submitting fraudulent bank details and a fake voided check, the fraudster tricked AP staff into approving two electronic funds transfer (EFT) payments totaling \$1,524,621.04: \$803,384.44 on February 21, 2025, and \$721,236.60 on March 10, 2025. While the city successfully recovered the smaller payment of \$721,236.60, the larger sum remains unrecovered. Insurance claims were filed, and the legitimate vendor was reimbursed.

The investigation highlighted a troubling pattern: multiple AP employees approved changes without verifying documentation, and the department had failed to implement corrective measures after prior fraud cases. Notably, Baltimore had experienced similar vendor scams in 2019 (\$62,000) and 2022 (\$376,000), all stemming from fraudulent bank detail changes. Inspector General Isabel Mercedes Cumming criticized the AP department for weak internal controls and inadequate safeguards, leaving the city exposed to recurring financial threats.

The scam demonstrates how cybercriminals exploit both technological systems and human error. By using a realistic impersonation of a trusted vendor, the fraudster bypassed automated protections, illustrating the persistent dangers of BEC attacks for municipal organizations.

What Undercode Say:

Baltimore’s latest scam reveals a systemic issue in city finance operations: human oversight coupled with insufficient verification processes is a major vulnerability. The AP department’s repeated failures suggest that training alone is insufficient; robust automated verification systems and multi-step approval workflows are essential to prevent such losses. Organizations handling high-value payments must ensure staff cross-checks for any banking changes with verified vendor contacts before executing transactions.

Furthermore, this incident exemplifies the increasing sophistication of BEC schemes. Modern scammers often exploit legitimate platforms like Workday to appear credible. The combination of internal complacency and evolving cyberattack techniques makes these scams difficult to detect until significant losses occur. Municipalities and large enterprises must prioritize layered security measures, including anomaly detection in financial transactions and real-time alerts for unusual vendor requests.

The recurring pattern of vendor scams in Baltimore indicates a troubling lack of institutional memory. Lessons from past frauds were not fully applied, creating a perfect environment for repeat offenses. By integrating proactive risk management, fraud insurance, and stricter verification policies, cities can significantly reduce their exposure.

Ultimately, Baltimore’s experience is a warning to all organizations that digital payments are only as secure as the people and processes managing them. Strengthening internal controls, enforcing accountability, and leveraging technology are crucial to defending against these increasingly sophisticated financial attacks.

🔍 Fact Checker Results:

✅ Verified: Total fraudulent payments amounted to \$1,524,621.04, with \$721,236.60 recovered.
✅ Verified: Scam executed via Business Email Compromise, targeting AP staff with fake bank details.
❌ No evidence found that any ransomware incidents in 2019 directly contributed to this specific vendor fraud.

📊 Prediction:

If Baltimore fails to implement stricter verification processes and automated safeguards, similar scams are likely to continue. Other municipalities with weak internal controls are equally vulnerable, suggesting a potential rise in high-value BEC attacks targeting local governments nationwide over the next 12–24 months.