Local News

Baltimore lost $800,000 in vendor payment fraud scheme, inspector general finds

By Christian Olaniran

/ CBS Baltimore

Baltimore lost $800,000 in vendor payment fraud scheme, inspector general finds

Baltimore lost more than $800,000 to a fraudster who tricked employees at the city's Department of Accounts Payable (AP) into changing a vendor's bank account information, according to an Inspector General (OIG) report. 

The scheme ultimately diverted $1.52 million in city funds, but $721,236 was recovered, per the report. The city is still out $803,384.

The accounts payable department was moved from the Department of Finance to the Comptroller's Office in January 2023, the OIG said.

Fraud scheme unfolds in Baltimore

According to the OIG, the fraudster, who was not named in the report, began the scheme in December 2024 by submitting a fake supplier contact form in Workday, using the name of a real employee of a city vendor.

The scammer provided a personal email address instead of the company's official one, and an AP employee approved the fake contact without verifying the identity with the vendor — a precaution not required by AP policy at the time. 

This gave the fraudster access to the vendor's Workday account, the OIG said.

Then, in January, the fraudster submitted fake voided checks and multiple bank account change requests, which were eventually approved by two additional AP employees in February through the Workday system.

By Feb. 19, the vendor's bank account had been changed to the fraudster's account. The Comptroller's Office then sent $803,384.44 on Feb. 21 and another $721,236.60 on March 10.

The fraud came to light when the city's financial institution got a call from the fraudster's bank about suspicious activity on March 13. Accounts payable staff then contacted the real vendor, who had no idea their account information had been altered, the OIG said.

Ongoing security concerns

The inspector general noted that AP policies at the time did not require phone verification of vendor contacts or banking changes, and employees did not maintain vendor signatory lists. Similar weaknesses had been flagged in fraud cases in 2020 and 2022.

The OIG received notice of the fraud on March 19, six days after the Department of Finance was alerted. 

Investigators later discovered that while the Comptroller's Office initially claimed the fraudster had bypassed city geo-fencing using Starlink internet, the city's IT office confirmed Starlink played no role. 

Although AP told the OIG it would contact Baltimore Police on March 24, investigators said the OIG ultimately reached out to law enforcement itself on March 31 to ensure a criminal investigation was opened. 

The report did not detail the results of BPD's criminal investigation.

Comptroller's Office implements safeguards

In a letter to the OIG, the Comptroller's Office said it has since adopted new safeguards. 

The changes include requiring phone calls to verify all banking changes, instituting a 48-hour waiting period before account modifications take effect, and adding automated alerts in Workday. 

The office also now restricts who can approve sensitive changes and conducts daily monitoring for unusual vendor activity.

Christian Olaniran

Christian Olaniran is a digital producer for CBS Baltimore, where he writes stories on diverse topics including politics, arts and culture. With a passion for storytelling and content creation, he produces engaging visual content for social media, and other platforms.

© 2025 CBS Broadcasting Inc. All Rights Reserved.

Read more
f

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.