City of Baltimore Loses Over $1.5M to BEC Attack, a Low-Tech But High-Impact Scam
Key Takeaways:
- The City of Baltimore lost over $1.5M in a business email compromise (BEC) attack in early 2025.
- The attacks occurred despite having established internal controls after similar attacks occurred in 2019 and 2022.
- BEC attacks are on the rise—it’s not a matter of it but when it will happen to your organization. Unless you protect yourself, of course.
- While difficult to block with sophisticated security tools, these attacks can be prevented by simple but effective techniques.
The City of Baltimore in Maryland, US, lost over $1.5M earlier this year after a fraudster diverted to their account a payment meant for one of the city’s authorized vendors.
Based on the August 27 report of Baltimore’s Office of the Inspector General, the scam occurred between February and March of this year.
The actual attack began in December 2024 when the fraudster submitted a supplier contact form to the city, posing as an employee of one of its vendors.
Although the fraudster used an email address that wasn’t issued by the vendor, the city employees didn’t verify this information (typical city employees…?).
The employees then added the fraudster to the vendor’s Workday account, which is an invoicing platform for the city’s vendors.
Now having access to the Workday account, the fraudster changed the vendor’s bank account with theirs. Eventually, they were able to charge the city $803,384.44 in February and $721,236.60 the following month.
But here’s the kicker: this isn’t the first time that the city has lost money to a scam.
The City of Baltimore has already lost $62,377.50 in 2019 and an additional $376,213.10 in 2021 in similar incidents.
Despite having established internal controls after these incidents, this year’s scam revealed that the city employees didn’t use them, which enabled the attacks to succeed.
The Growing Risk of BEC Attacks
The Baltimore scam is only one of the growing number of business email compromise (BEC) attacks worldwide.
A BEC attack can occur when a scammer impersonates a trusted person (e.g., a vendor’s employee) and convinces the victim’s employees to give them access to sensitive data or, in Baltimore’s case, a vendor’s account.
According to The SSL Store, US businesses alone have lost over $2.9B from this type of attack in 2023.
The numbers can only grow as techniques become sophisticated.
One of the biggest factors that can contribute to the rise of BEC attacks is AI. This can come in various forms, including the following:
- Writing an email that mimics the writing style of certain executives. This can dupe the recipient into thinking the email is genuine.
- Voice cloning and video deepfakes can take the scam to the next level by impersonating an employee’s voice and facial features.
- AI chatbots that impersonate coworkers. This can help scammers successfully persuade an employee to divulge sensitive information.
Of course, there are these tried-and-tested tools for perpetrating BEC attacks:
- Emails that spoof a legitimate email address can convince the recipient that it’s legitimate.
- Scammers can also use fake domains to make emails and phishing websites look more convincing.
- Phone numbers can be spoofed too to make it appear that a trusted person or entity is making a call.
Then there’s the human factor. Social engineering techniques, where scammers dupe victims into sharing confidential information, can trump even the most advanced technologies for preventing BEC attacks.
Unlike using malware or spoofed email addresses, social engineering attacks are much harder to block using tools like email filters. This is what made the attack on the City of Baltimore especially effective.
Ways to Protect Your Organization from BEC Attacks
As we’ve seen in the case of the City of Baltimore, organizations can repeatedly experience BEC attacks even with protocols in place.
They’re harder to block because they target people within the organization, not just their IT infrastructure. The good news is that there are ways to minimize your organization’s risk, including the following:
- Verify information. The attack on Baltimore succeeded because the city employees didn’t verify the scammer’s email address. To prevent this, you can require at least two employees to verify information, and contact the supplier or partner if it’s indeed them making the request to change their information.
- Conduct regular security training. This can help your employees look closely at information, such as misspelled email addresses and websites. Running simulated attacks can also make them more aware of them.
- Manage who can approve payments and alter information. Ensure that only authorized personnel can do these things, especially with large payments.
- Report incidents immediately. If a BEC attack happens, report it to your bank and the police right away. This will increase your chances of freezing and getting back the stolen funds.
BEC Attacks Are Inevitable But Preventable
When it comes to BEC attacks, it’s not a question of if but when it could happen to you. While it’s less technologically advanced than other cyberattacks, BEC attacks prove very effective since they exploit your employees rather than your IT infrastructure.
These attacks will continue to evolve, which is why it’s important to always be several steps ahead of potential scams.
Regularly training your employees, verifying information and transactions, and strictly enforcing who can approve payments are just a few ways to do this.
As technology continues to evolve—from the return of ‘dumbphones’ to faster and sleeker computers—seasoned tech journalist, Cedric Solidon, continues to dedicate himself to writing stories that inform, empower, and connect with readers across all levels of digital literacy. With 20 years of professional writing experience, this University of the Philippines Journalism graduate has carved out a niche as a trusted voice in tech media. Read more
Whether he’s breaking down the latest advancements in cybersecurity or explaining how silicon-carbon batteries can extend your phone’s battery life, his writing remains rooted in clarity, curiosity, and utility. Long before he was writing for Techreport, HP, Citrix, SAP, Globe Telecom, CyberGhost VPN, and ExpressVPN, Cedric’s love for technology began at home courtesy of a Nintendo Family Computer and a stack of tech magazines. Growing up, his days were often filled with sessions of Contra, Bomberman, Red Alert 2, and the criminally underrated Crusader: No Regret.
But gaming wasn’t his only gateway to tech. He devoured every T3, PCMag, and PC Gamer issue he could get his hands on, often reading them cover to cover. It wasn’t long before he explored the early web in IRC chatrooms, online forums, and fledgling tech blogs, soaking in every byte of knowledge from the late ’90s and early 2000s internet boom. That fascination with tech didn’t just stick. It evolved into a full-blown calling. After graduating with a degree in Journalism, he began his writing career at the dawn of Web 2.0.
What started with small editorial roles and freelance gigs soon grew into a full-fledged career. He has since collaborated with global tech leaders, lending his voice to content that bridges technical expertise with everyday usability. He’s also written annual reports for Globe Telecom and consumer-friendly guides for VPN companies like CyberGhost and ExpressVPN, empowering readers to understand the importance of digital privacy.
His versatility spans not just tech journalism but also technical writing. He once worked with a local tech company developing web and mobile apps for logistics firms, crafting documentation and communication materials that brought together user-friendliness with deep technical understanding. That experience sharpened his ability to break down dense, often jargon-heavy material into content that speaks clearly to both developers and decision-makers. At the heart of his work lies a simple belief: technology should feel empowering, not intimidating.
Even if the likes of smartphones and AI are now commonplace, he understands that there’s still a knowledge gap, especially when it comes to hardware or the real-world benefits of new tools. His writing hopes to help close that gap. Cedric’s writing style reflects that mission. It’s friendly without being fluffy and informative without being overwhelming. Whether writing for seasoned IT professionals or casual readers curious about the latest gadgets, he focuses on how a piece of technology can improve our lives, boost our productivity, or make our work more efficient.
That human-first approach makes his content feel more like a conversation than a technical manual. As his writing career progresses, his passion for tech journalism remains as strong as ever. With the growing need for accessible, responsible tech communication, he sees his role not just as a journalist but as a guide who helps readers navigate a digital world that’s often as confusing as it is exciting. From reviewing the latest devices to unpacking global tech trends, Cedric isn’t just reporting on the future; he’s helping to write it. Read less
The Tech Report editorial policy is centered on providing helpful, accurate content that offers real value to our readers. We only work with experienced writers who have specific knowledge in the topics they cover, including latest developments in technology, online privacy, cryptocurrencies, software, and more. Our editorial policy ensures that each topic is researched and curated by our in-house editors. We maintain rigorous journalistic standards, and every article is 100% written by real authors.
