Search
Choose a style
Dark
Light
Time to read: 5 min

How a fraudster stole over $800,000 from Baltimore City

Businessman holding a magnifier and searching a wooden model of a hacker in a business team. Representative of Baltimore AP fraud case 2025
Image: Shutterstock

Anatomy of a vendor-profile takeover, and what it says about public-sector payment controls.

Baltimore’s Office of the Inspector General (OIG) has published a synopsis of a recent payment fraud case that reads like a playbook for vendor-profile takeover fraud. 

In late 2024, a fraudster posed as a legitimate supplier contact, secured access to the vendor’s Workday account, and persuaded Accounts Payable (AP) staff to switch the vendor’s bank details to the fraudster’s account. 

That switch paved the way for two electronic fund transfers in early 2025 totalling just over $1.5m. The City recovered the second payment of $721,236.60 but has not clawed back the first, $803,384.44, which remains the loss underpinning this case. 

An insurance claim has been filed and the legitimate vendor has since been repaid.

Once made aware of the fraudulent transactions, AP immediately conducted an internal audit of the supplier’s Workday activity, explained Timothy Goldsby, Director of Accounts Payable said in a letter response to the findings. 

“[We] worked with BCIT to deactivate the fraudulent users’ business contact account, notified the legitimate supplier, and collaborated with the Bureau of Treasury Management to initiate partial payment recovery.”

“We also attempted to contact BPD’s cybercrime unit; however, per the OID, the contact information used was outdated.” 

How the compromise unfolded

The entry point was not a sophisticated cyber intrusion but a routine supplier contact update. On December 9, 2024, the fraudster submitted a supplier contact form using the name of a real employee of the vendor, yet with a non-company email address. 

Two days later, an AP employee approved the request and added the impostor to the vendor’s Workday profile, despite inaccuracies in the information provided and despite a different, verified contact already listed for the account. 

Timothy Goldsby, Director – Department of Accounts Pyable at City of Baltimore.

At this time AP procedures did not require staff to verify email domains or phone the vendor to confirm identity.

With a foothold in the supplier record, the fraudster began pushing to change bank details. A fraudulent voided cheque was submitted and, after a series of attempts, two AP employees approved a bank account change request. 

Workday logs show the vendor’s bank was switched to the fraudster’s bank on February 19, 2025. That change cleared the runway for payment redirection.

Baltimore then sent two payments to the new account: $803,384.44 on February 21 and $721,236.60 on March 10. The City’s bank alerted officials on March 13 after receiving a call from the fraudster’s bank about possible fraud. 

The OIG received the complaint on March 19, sought details on March 21, and learned AP had not successfully contacted the police; the OIG escalated to law enforcement on March 31 to initiate a criminal investigation.

The claim and the reality

On April 1, during a media interview, the City Comptroller’s Office suggested the perpetrator bypassed geofencing controls using a Starlink IP address. 

City IT staff told the OIG that Starlink did not affect the fraudster’s Workday access. The issue, in other words, was not a satellite workaround but weak identity and change-management checks around the supplier record.

Why this happened: control gaps, not clever code

The OIG points to a cluster of governance failures that made the fraud possible.

  • Identity verification that stops at the inbox. AP accepted a new supplier contact using a non-corporate email, with no independent callback to a known number and no signatory list to verify who is authorised to request changes. The absence of a simple out-of-band check was decisive.
  • Approvals that rubber-stamp master-data edits. Multiple AP staff approved a bank change without reviewing the supporting document, which was a forged cheque. Two people clicked “approve,” yet no one truly verified.
  • Policies that do not cover the riskiest moments. AP’s policy documents did not spell out steps for verifying supplier bank-detail changes, leaving staff without a mandatory protocol for high-risk edits. The OIG also says Workday internal controls could be strengthened to better flag and gatekeep sensitive changes.
  • A pattern, not a one-off. The watchdog links this incident to similar frauds investigated in 2020 and 2022, again tied to gaps in internal controls. That history suggests institutional learning did not translate into hardened processes.

In his response, Goldsby acknowledge the incident was as a result of “vulnerabilities in verification procedures” and “insifficient supplier account safeguards.”

“We also acknowledge that controls recommended in previous reports were not fully instituionalised prior to AP’s transition from the department of finance to the office of the comptroller in january 2023.”

– timothy goldsby, Director of Accounts payable

The cost and the clean-up

The immediate financial hit stands at $803,384.44. Although a second fraudulent transfer was clawed back and insurance may offset part of the loss, the City still had to repay its supplier, absorb investigative costs and face public scrutiny.

The case also raised concerns over Baltimore’s response, with the Office of Inspector General noting it had to intervene to ensure police became involved.

In the aftermath, the City is overhauling its safeguards. A new standard operating procedure for supplier contacts and banking updates is being introduced, with mandatory cross-verification for any account changes.

Workday will also see new protections from August. These include restricting who can make sensitive supplier updates, sending automated email alerts to suppliers about pending changes, and enforcing a 48-hour approval delay with layered reviews for settlement account modifications. The system will also flag unusual, duplicate or rapid activity on supplier profiles.

Alongside these measures, Baltimore is expanding fraud awareness training for accounts payable staff and committing to daily monitoring of supplier activity to detect anomalies more quickly.

Subscribe to our newsletter