Key findings:
- In early 2025, the city of Baltimore lost more than $1.5 million in a business email breach (BEC).
- The attacks occurred despite the establishment of internal controls following similar attacks in 2019 and 2022.
- BEC attacks are on the rise – that's not the point, it's that When it will happen to your organization. Unless you protect yourself, of course.
- While these attacks are difficult to block using sophisticated security tools, these attacks can be prevented using simple yet effective techniques.
The city of Baltimore in Maryland, US, lost more than $1.5 million earlier this year after a scammer transferred a payment to their account intended for one of the city's authorized suppliers.
According to the Baltimore Inspector General's report dated Aug. 27, fraud occurred between February and March this year.
The actual attack began in December 2024 when a scammer provided the city with a supplier contact form, posing as an employee of one of the suppliers.
Although the scammer used an email address that was not provided by the seller, city employees did not verify this information (typical city employees…?).
The employees then added the scammer to the vendor's Workday account, which is the city's vendor billing platform.
After gaining access to the Workday account, the fraudster replaced the seller's bank account with his own. In the end, they were able to recover $803,384.44 from the city in February and $721,236.60 the following month.
But here's the interesting thing: This isn't the first time the city has lost money due to fraud.
Baltimore City has already lost $62,377.50 in 2019 and additional US$376,213.10 in 2021 in such incidents.
Although internal controls were put in place after these incidents, this year's fraud revealed that city employees failed to take advantage of them, allowing the attacks to succeed.
Growing risk of BEC attacks
The Baltimore scam is just one of a growing number of business email compromise (BEC) attacks around the world.
A BEC attack can occur when a fraudster impersonates a trusted person (such as a vendor employee) and convinces the victim's employees to give them access to sensitive data or, in Baltimore's case, the vendor's account.
According to The SSL Store, only US companies have lost more than $2.9 billion from this type of attack in 2023.
Their number can only grow as technology improves.
One of the biggest factors that may be contributing to the rise in BEC attacks is artificial intelligence. This can manifest itself in various forms, including the following:
- Writing an email that imitates the writing style of some executives. This may make the recipient think the email is genuine.
- Voice cloning and video deepfakes can take fraud to the next level by impersonating an employee's voice and facial features.
- Chatbots with artificial intelligence that pretend to be colleagues. This can help scammers successfully convince an employee to disclose sensitive information.
Of course, there are proven tools for carrying out BEC attacks:
- Emails spoofing a valid email address may convince the recipient that it is legitimate.
- Fraudsters may also use fake domains to make emails and phishing websites appear more convincing.
- Telephone numbers can also be spoofed to make it appear that a trusted person or organization is calling.
Then there is the human factor. Social engineering methodswhen scammers trick victims into sharing sensitive information, even the most advanced BEC attack prevention technologies can be surpassed.
Unlike the use of malware or spoofed email addresses, social engineering attacks are much more difficult to block using tools such as email filters. This is what made the attack on the city of Baltimore especially effective.
Ways to protect your organization from BEC attacks
As we saw with the City of Baltimore, organizations can be repeatedly targeted by BEC attacks even with protocols in place.
They are more difficult to block because they target people within an organization and not just its IT infrastructure. The good news is that there are ways to minimize your organization's risk, including the following:
- Check the information. The Baltimore attack succeeded because city officials did not confirm the scammer's email address. To prevent this, you can require at least two employees to review the information and contact the vendor or partner if they do make a request to change their information.
- Provide regular safety training. This can help your employees scrutinize information such as email addresses and websites that contain errors. Simulating attacks can also increase their awareness of them.
- Control who can approve payments and change information. Make sure that only authorized personnel can do these things, especially for large payments.
- Report incidents immediately. If a BEC attack occurs, report it to your bank and the police immediately. This will increase your chances of freezing and returning stolen funds.
BEC attacks are inevitable, but they can be prevented
When it comes to BEC attacks, the question is not if it can happen to you, but when. Although BEC attacks are less sophisticated than other cyber attacks, they are very effective because they exploit your employees rather than your IT infrastructure.
These attacks will continue to evolve, so it's important to always stay a few steps ahead of potential scammers.
Regular training of your employees, verification of information and transactions, and strict control over who can approve payments are just a few ways to do this.
Fast The city of Baltimore lost more than $1.5 million due to the BEC attack, a low-tech but highly effective scam first appeared on Technical report.
