[BreachExchange] OIG Report: City Victim Of $375K Phishing Attack

[Terrell Byrd]

https://baltimore.cbslocal.com/2022/02/15/oig-report-city-victim-375k-phishing-attack/

BALTIMORE (WJZ) — Baltimore City was the victim of a phishing scheme last
year when it sent more than $375,000 to a hacker posing as a vendor with
municipal contracts, according to a new report from the Office of the
Inspector General.

The company was receiving monthly payments from the Mayor’s Office of
Children and Family Success. According to the report, the office and the
finance department’s Bureau of Accounting and Payroll Services were twice
contacted by email about changing the bank information for the payments.

But the vendor’s email account had been “compromised by a malicious actor,”
allowing a hacker to correspond with municipal employees without the
company knowing, the report said.

On Dec. 22, 2020, the city tried to send an Electronic Funds Transfer
payment to the company, one day after the vendor’s account information had
been switched from one bank to another, the report said.

The bank on the receiving end of the transfer flagged the transaction as
fraudulent and returned the funds.

On Jan. 5, 2021, the hacker made another request to switch accounts to a
third bank, providing a letter and voided check in the vendor’s name.
Someone claiming to be the vendor’s chief financial officer also called the
Department of Finance to discuss the change, the report said.

Two days later, the city sent a payment of $376,213.10, the report said.

The vendor has not been received full payment from the city but did get
$50,000 from its insurance company for a phishing loss claim.

The hacker’s account was frozen, and the $38,730.15 balance was placed into
a separate account, the bank said.

According to the Office of the Inspector General, at the time of the
phishing attack, employees in the Bureau of Accounting and Payroll Services
did not have an authorized list of signatories for vendors and had to rely
on the heads of other city departments for that information.

And the bureau did not independently verify the request to change the
account after the purported call from the chief financial officer, the
report said.

In a response letter, Department of Finance Director Henry Raymond said the
office “has immediately strengthened internal protocols” and continues to
reviews its policies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220216/23d3ec66/attachment.html>