Baltimore Inspector General Isabel Mercedes Cumming described today how a still-unknown criminal gained access to the city’s electronic Workday system earlier this year and diverted $1.5 million intended as payments to a legitimate vendor.

Between December 2024 and March 2025, the online thief gained access to the vendor’s Workday account, submitted false information, changed the vendor’s bank account and secured two electronic payments totaling $1,524,621.

Only after the criminal’s bank alerted the city of potential fraud did Comptroller Bill Henry’s office realize it had been swindled – and was able to recover the second payment of $721,000.

His office later told a media outlet that the perpetrator had bypassed the city’s geofencing system by using an IP address set up through Starlink, a satellite internet network. “They have very good technology,” Deputy Comptroller Erika McClammy told the Baltimore Banner.

In today’s report, Cumming said her investigators established that “Starlink did not impact the fraudster’s Workday access.”

Instead, employees at the Department of Accounts Payable (AP) missed clues and failed to verify changes submitted by the cybercriminal, allowing the fraud to proceed:

• AP Employee 1 verified a contact form without confirming that the name and email address were accurate, then accepted a voided check that created a new bank account in Workday for the vendor. “The OIG determined that the voided check submitted was fraudulent,” Cumming wrote.

• AP Employee 2 approved another bank account change, later telling the OIG that “they did not recall viewing the voided check.”

• AP Employee 3 separately ratified the bank account request, also telling Cumming they couldn’t remember any voided check.

“Correspondence between AP personnel and the fraudster during January and February 2025 showed the fraudster requested the fraudster’s bank account to be listed as the vendor’s active bank. According to Workday, AP Employee 2 changed the vendor’s bank to the fraudster’s bank on February 19, 2025,” the report notes.

On February 21, $803,384 was paid to the bank and immediately cashed.

On March 10, another $721,237 was sent to the same account.

The bank flagged this payment as potentially fraudulent. It was frozen and reversed back to the city’s bank. The first payment was never recovered.

A Slow Response

Delays in reporting the theft to law enforcement thwarted efforts to identify the cybercrook, according to the report.

Cumming’s office was notified of the fraud a week after the city got the news from the bank. Another five days passed before Accounts Payable provided a summary of the transactions.

Accounts Payable also had promised to notify Baltimore Police’s Cybercrime Unit. But “after learning that Accounts Payable did not successfully make contact with BPD,” Cumming said she spoke directly to law enforcement so a criminal investigation could be launched.

In 2023, Accounts Payable was moved from the Department of Finance to the Comptroller’s Office, and the latter should have been better prepared to detect internet fraud on the Workday platform, the report says.

“The OIG investigated similar fraud incidents in 2020 and 2021 due to lack of internal controls within the Bureau of Accounting and Payroll Services (BAPS). Office of the Comptroller leadership told the OIG that changes may have been made in the city’s previous accounting system as a result of the OIG’s previous investigations, but those changes were not implemented when the city transitioned to Workday.”

Added Guardrails

In response to the report, Accounts Payable Director Timothy L. Goldsby Jr. took ownership of the problem, saying the fraudulent payments were “enabled by vulnerabilities in verification procedures and insufficient supplier account safeguards.”

“We also acknowledge,” he added, “that controls recommended in previous reports were not fully institutionalized prior to AP’s transition from the Department of Finance to the Office of the Comptroller in January 2023.”

Goldsby said that the following safeguards will be put in place this month:

• Creation of a restricted user role authorized to initiate updates to supplier profiles.

• Automated email alerts to supplier contracts before making profile changes.

• A 48-hour approval delay with layered reviews for account modifications.

• Expanded staff training on fraud detection.

• Daily monitoring of supplier activity within Workday to detect anomalies.

His office is also engaged in “ongoing conversations” with the Bureau of Treasury Management about adding bank account validation tools to the payment system, he told the inspector general.