Baltimore City fell victim to a phishing scam that cost it $376,213 last year after a hacker posed as a city vendor, though about 10% of those have been recovered since, according to a report issued Tuesday by the Office of the Inspector General.
The payments were sent to a vendor working for the Mayor’s Office of Children and Family Success and the report written by city Inspector General Isabel Cumming concluded that the city had insufficient practices in place to prevent future fraudulent requests “as there was a lack of authentication.”
The report said that the city’s Bureau of Accounting and Payroll Services and the children’s office received an email on Dec. 22, 2020, from an account associated with an employee from a vendor company asking to change information for its electronic funds transfer. The inspector general said the vendor’s email account was “compromised by a malicious actor” who was able to correspond directly with the city without the vendor’s knowledge.
The city’s accounting bureau changed the banking remittance and sent the payment, but the new bank flagged the money as fraudulent and returned the funds to the city, according to the inspector general’s report.
A few weeks later, on Jan. 7, 2021, the Mayor’s Office of Children and Family Success received another fraudulent email from the compromised vendor account that asked to change banks again, the report said. The city agency received a copy of a voided check with the vendor’s name from the requestor and had the Bureau of Accounting and Payroll Services process a $376,213 payment to match the new information, the inspector general said.
The report found that payroll employees don’t have access to a list of authorized signatories for vendors and rely on information from city representatives.
Department of Finance Director Henry Raymond said the department “immediately strengthened internal controls” to add more verification processes.
New policies have since been put in place, the report said, to make sure finance employees independently verify bank changes with an executive-level employee from the requesting vendor. The finance department also has removed city agencies from the accounting procedures involving vendors.
The vendor has not received full payment from the city but did get $50,000 from its insurance company for a phishing loss claim, the report said.
The hacker’s account that received the $376,213 was frozen, and the $38,730.15 balance was placed into a separate account and eventually returned to the city.