City of Baltimore Loses Over $1.5M to BEC Attack, a Low-Tech But High-Impact Scam

Key Takeaways:

• The City of Baltimore lost over $1.5M in a business email compromise (BEC) attack in early 2025.
• The attacks occurred despite having established internal controls after similar attacks occurred in 2019 and 2022.
• BEC attacks are on the rise-it's not a matter of it but when it will happen to your organization. Unless you protect yourself, of course.
• While difficult to block with sophisticated security tools, these attacks can be prevented by simple but effective techniques.

The City of Baltimore in Maryland, US, lost over $1.5M earlier this year after a fraudster diverted to their account a payment meant for one of the city's authorized vendors.

Based on the August 27 report of Baltimore's Office of the Inspector General, the scam occurred between February and March of this year.

The actual attack began in December 2024 when the fraudster submitted a supplier contact form to the city, posing as an employee of one of its vendors.

Although the fraudster used an email address that wasn't issued by the vendor, the city employees didn't verify this information (typical city employees...?).

The employees then added the fraudster to the vendor's Workday account, which is an invoicing platform for the city's vendors.

Now having access to the Workday account, the fraudster changed the vendor's bank account with theirs. Eventually, they were able to charge the city $803,384.44 in February and $721,236.60 the following month.

But here's the kicker: this isn't the first time that the city has lost money to a scam.

The City of Baltimore has already lost $62,377.50 in 2019 and an additional $376,213.10 in 2021 in similar incidents.

Despite having established internal controls after these incidents, this year's scam revealed that the city employees didn't use them, which enabled the attacks to succeed.

The Growing Risk of BEC Attacks

The Baltimore scam is only one of the growing number of business email compromise (BEC) attacks worldwide.

A BEC attack can occur when a scammer impersonates a trusted person (e.g., a vendor's employee) and convinces the victim's employees to give them access to sensitive data or, in Baltimore's case, a vendor's account.

According to The SSL Store, US businesses alone have lost over $2.9B from this type of attack in 2023.

The numbers can only grow as techniques become sophisticated.

One of the biggest factors that can contribute to the rise of BEC attacks is AI. This can come in various forms, including the following:

• Writing an email that mimics the writing style of certain executives. This can dupe the recipient into thinking the email is genuine.
• Voice cloning and video deepfakes can take the scam to the next level by impersonating an employee's voice and facial features.
• AI chatbots that impersonate coworkers. This can help scammers successfully persuade an employee to divulge sensitive information.

Of course, there are these tried-and-tested tools for perpetrating BEC attacks:

• Emails that spoof a legitimate email address can convince the recipient that it's legitimate.
• Scammers can also use fake domains to make emails and phishing websites look more convincing.
• Phone numbers can be spoofed too to make it appear that a trusted person or entity is making a call.

Then there's the human factor. Social engineering techniques, where scammers dupe victims into sharing confidential information, can trump even the most advanced technologies for preventing BEC attacks.

Unlike using malware or spoofed email addresses, social engineering attacks are much harder to block using tools like email filters. This is what made the attack on the City of Baltimore especially effective.

Ways to Protect Your Organization from BEC Attacks

As we've seen in the case of the City of Baltimore, organizations can repeatedly experience BEC attacks even with protocols in place.

They're harder to block because they target people within the organization, not just their IT infrastructure. The good news is that there are ways to minimize your organization's risk, including the following:

• Verify information. The attack on Baltimore succeeded because the city employees didn't verify the scammer's email address. To prevent this, you can require at least two employees to verify information, and contact the supplier or partner if it's indeed them making the request to change their information.
• Conduct regular security training. This can help your employees look closely at information, such as misspelled email addresses and websites. Running simulated attacks can also make them more aware of them.
• Manage who can approve payments and alter information. Ensure that only authorized personnel can do these things, especially with large payments.
• Report incidents immediately. If a BEC attack happens, report it to your bank and the police right away. This will increase your chances of freezing and getting back the stolen funds.

BEC Attacks Are Inevitable But Preventable

When it comes to BEC attacks, it's not a question of if but when it could happen to you. While it's less technologically advanced than other cyberattacks, BEC attacks prove very effective since they exploit your employees rather than your IT infrastructure.

These attacks will continue to evolve, which is why it's important to always be several steps ahead of potential scams.

Regularly training your employees, verifying information and transactions, and strictly enforcing who can approve payments are just a few ways to do this.

The post City of Baltimore Loses Over $1.5M to BEC Attack, a Low-Tech But High-Impact Scam appeared first on Techreport.