Baltimore Conned Out of $375k

A new report by the Office of the Inspector General (OIG) has revealed that Baltimore city was tricked out of hundreds of thousands of dollars last year by a cyber-criminal posing as a vendor.

The OIG launched an investigation after receiving information from Baltimore’s Bureau of Accounting and Payroll Services (BAPS) in October 2021 regarding an alleged fraudulent Electronic Funds Transfer (EFT).

The alarm was raised over a contractor who had received funds from the Mayor’s Office of Children and Family Success (MOCFS).

A fraudster claiming to be associated with an employee from the vendor company emailed BAPS and MOCFS twice to request a change to the vendor’s EFT remittance information. 

The fraudster asked for the bank details kept on file for the vendor to be updated to a different bank account at another financial institution. 

“The OIG later determined that the email account associated with the Vendor Employee was compromised by a malicious actor, who established rules within the Vendor Employee’s email account as a result of a phishing attack,” noted inspector general Isabel Mercedes Cumming. 

She added: “Therefore, the malicious actor was able to correspond directly with City employees without the Vendor’s knowledge.”

On December 21 2020, BAPS complied with the fraudster’s change request and altered the bank details on file for the vendor company. BAPS made an electronic funds transfer to the new account the next day.

The bank detected that the transfer was fraudulent and returned the funds to the city’s banking institution. 

On January 5 2021, the fraudster contacted MOCFS and BAPS again, asking for the money to be transferred to a different account at a third financial institution. The fraudster supplied a bank letter and copy of a voided check whose details matched the third account as verification. 

Believing the fraudster’s claims, BAPS paid $376,213.10 into the third account on January 7 2021. 

OIG determined that BAPS had no list of authorized signatories for vendors, and instead of independently authenticating information and requests, BAPS relied on MOCFS and accepted an incoming phone call from an individual claiming to be the Vendor’s chief financial officer (CFO).

The vendor is yet to be paid by the city but did get $50,000 from its insurance company.

What’s Hot on Infosecurity Magazine?