A sophisticated scammer exploited vulnerabilities within Baltimore’s Department of Accounts Payable (AP) to steal more than $1.5 million, marking the third such incident in the city since 2019. By posing as a legitimate vendor, the fraudster manipulated city staff into redirecting two large payments—totaling $1,524,621.04—into a fraudulent bank account. This incident serves as a stark reminder of the financial risks posed by weak internal controls and a failure to implement robust fraud prevention protocols.
The scheme began in December 2024 when the fraudster, using a spoofed email, gained access to the vendor’s Workday account. Posing as an employee of the vendor, the scammer submitted a fraudulent supplier form to the city’s AP department. An AP employee, without proper verification, approved the form despite having incorrect details. This initial breach set the stage for the rest of the scam. Over the next month, the fraudster repeatedly attempted to change the vendor’s bank details, even submitting a fake voided check in a persistent effort to reroute payments.
The scam culminated in February and March 2025 with two successful fraudulent payments. The first payment of $803,384.44 and a second one for $721,236.60 were both completed via Electronic Funds Transfer (EFT) to the scammer’s account. This was only possible because a second set of AP employees approved the fraudulent bank change request without verifying the accompanying documentation. While the city was able to recover the smaller payment, the larger one remains unrecovered, forcing the city to file an insurance claim and re-issue the payments to the legitimate vendor.
According to Inspector General Isabel Mercedes Cumming, the primary cause of this fraud was the accounts payable department’s systemic lack of safeguards. The investigation revealed a critical failure to verify supplier information and a broader pattern of neglecting to adopt corrective measures following prior fraud cases. This institutional oversight created an environment ripe for exploitation and left the city’s finances exposed to this type of attack.
This latest incident is part of a troubling trend. Baltimore has now been a victim of at least two other similar vendor scams: a $62,000 loss in 2019 and a $376,000 loss in 2022. All three cases involved a scammer tricking city staff into changing vendor bank details. The repeated nature of these attacks underscores the urgent need for the city to overhaul its financial security protocols and implement rigorous verification processes to prevent future financial losses.
Reference: