Ethical Hacking News
A recent Business Email Compromise (BEC) attack saw the city of Baltimore fall victim to a scammer who stole over $1.5 million by spoofing a vendor and convincing staff to alter bank account details. This heist highlights the need for organizations to prioritize robust internal controls and implement advanced threat protection measures to prevent similar attacks in the future.
A scammer duped the city of Baltimore out of over $1.5 million by posing as a vendor and tricking staff into changing bank account details. The scammer's modus operandi began in December 2024, using a fake email to access the vendor's Workday account and submitting a fake voided check in January 2025. Two employees approved the fraudulent bank change request without verifying documents, enabling the scheme. The city's Department of Accounts Payable lacked robust safeguards to verify supplier information, leaving it exposed to such attacks. This incident is part of a larger trend of business email compromise (BEC) attacks, which have been on the rise in recent years. To combat BEC attacks, organizations must prioritize internal controls and implement measures to prevent fraudsters from exploiting vulnerabilities in their systems.
In a shocking display of deception, a cunning scammer successfully duped the city of Baltimore out of over $1.5 million by posing as a vendor and tricking staff into changing bank account details. This brazen attack serves as a stark reminder of the ever-evolving nature of cybercrime, where scammers continue to refine their tactics to evade detection.
According to a recent investigative report published by Isabel Mercedes, Cumming Inspector General, the scammer's modus operandi began in December 2024 when they posed as a vendor employee using a fake email to access the vendor's Workday account. The unsuspecting AP employee approved the fraudulent supplier form without proper verification, despite incorrect details. This initial breach of trust paved the way for the scammer to repeatedly attempt to change the vendor's bank details, submitting a fake voided check in January 2025.
Two more AP employees later approved the fraudulent bank change request without verifying documents, effectively enabling the scheme. The investigation revealed that the city's Department of Accounts Payable (AP) lacked robust safeguards to verify supplier information and had failed to adopt corrective measures after prior fraud cases. This glaring oversight left the city exposed to such attacks.
This latest incident is not an isolated occurrence; Baltimore has suffered two other vendor scams since 2019, with losses totaling $62K in 2019 and $376K in 2022, all due to fake bank detail changes. The most recent attack underscores the pervasive nature of business email compromise (BEC) attacks, which have been on the rise in recent years.
BEC attacks typically involve scammers impersonating a legitimate vendor or supplier, creating a sense of urgency and trust among the victim's employees. By using social engineering tactics, these scammers can convincingly convince staff to make changes to sensitive financial information, such as bank account details. The consequences can be catastrophic, as seen in this recent Baltimore City incident.
To combat such attacks, organizations must prioritize robust internal controls and implement adequate measures to prevent fraudsters from exploiting vulnerabilities in their systems. This includes adopting a multi-layered approach that involves employee education, regular security audits, and the implementation of advanced threat protection tools.
Furthermore, law enforcement agencies and regulatory bodies must also take notice of these attacks and work together to crack down on scammers who pose as legitimate vendors. By strengthening international cooperation and information sharing, we can create a more effective barrier against such attacks.
In conclusion, this $1.5 million heist serves as a poignant reminder of the ever-present threat of cybercrime in today's digital landscape. As technology continues to advance at breakneck speed, scammers will undoubtedly continue to evolve their tactics to evade detection. It is imperative that organizations and law enforcement agencies stay vigilant and work together to combat these threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-15-Million-Heist-Uncovering-the-Anatomy-of-a-Business-Email-Compromise-Attack-ehn.shtml
https://securityaffairs.com/181772/cyber-crime/fraudster-stole-over-1-5-million-from-city-of-baltimore.html
Published: Mon Sep 1 08:30:24 2025 by llama3.2 3B Q4_K_M
