IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Report Confirms Baltimore, Md., Was Duped by Phishing Scam

A report from the Office of the Inspector General shows that Baltimore fell victim to a phishing scam last year when a hacker posed as a city vendor. Since the scam, new cyber policies have been established.

Phishing Scam
(TNS) — Baltimore City fell victim to a $376,213 phishing scam last year after a hacker posed as a city vendor, according to a report issued Tuesday by the Office of the Inspector General.

The payments were being sent from the Mayor’s Office of Children and Family Success and the report concluded that there were insufficient practices in place to prevent future fraudulent requests “as there was a lack of authentication.”

The report said that on Dec. 22, 2020, and Jan. 7, 2021, the city’s Bureau of Accounting and Payroll Services and MOCFS were sent an email from an account associated with an employee from a vendor company asking to change its electronic funds transfer. The inspector general said the email account was “compromised by a malicious actor” and was able to correspond directly with the city without the vendor’s knowledge.

The city’s payroll changed the banking remittance, and the new bank flagged the money as fraudulent and returned the funds to the city.

Almost a year later, the account associated with the fraudulent email contacted MOCFS and asked to change banks again. The city agency received a copy of a voided check in the vendor’s name from the requestor and processed $376,213 to match the new information, the president said.

The report found that payroll employees don’t have access to a list of authorized signatories for vendors and rely on information from city representatives.

Department of Finance Director Henry Raymond said the department “immediately strengthened internal controls” to add more verification processes.

New policies have since been put in place, the report said, to make sure finance employees independently verify bank changes with an executive-level employee from the requesting vendor. The finance department has also removed city agencies from the accounting procedures from vendors.

The vendor has not received full payment from the city but did get $50,000 from its insurance company for a phishing loss claim, the report said. The hacker’s account was also frozen, and the $38,730.15 balance was placed into a separate account.

©2022 Baltimore Sun. Distributed by Tribune Content Agency, LLC.