Fabricated Entry, Real Payout: Baltimore Loses $1.5M in Workday Vendor Scam

• Vendor form forged: Scammer gains access to Workday using a false identity
• Bank changes approved: City staff greenlight updates without verifying with the vendor
• Funds transferred: Two payments totaling $1.52M diverted to the scammer's account

A scammer stole over $1.5 million from the City of Baltimore by impersonating a legitimate vendor and altering payment details inside the city’s Workday platform, according to an official investigation published by the Office of the Inspector General on August 27, 2025.

The OIG report states that the fraudster submitted forged forms and managed to bypass identity checks. They rerouted two city payments into an attacker-controlled account. One of the payments was recovered, but more than $800,000 remains unrecovered.

Initial details of the scam were first reported by The Record, with additional findings drawn from the Baltimore Inspector General’s official investigation.

How the Scam Unfolded Inside Workday

The attacker didn’t use malware or breach Baltimore’s internal networks. Instead, they exploited vendor controls, unverified approval workflows, and trust-based assumptions inside Workday to reroute $1.5M in electronic fund transfers.

The scammer submitted a forged supplier contact form in the name of a real vendor employee. However, they used a non-corporate email and fraudulent banking credentials.

Weeks after, three city employees approved the bank account changes without calling the vendor, checking the domain, or flagging document discrepancies.

“On March 13, 2025, the City’s financial institution (City’s Bank) notified DOF about a call they received from the Fraudster’s Bank regarding potential fraud. Upon DOF’s notification, AP personnel informed the Vendor about the fraudulent activity,” the Office of the Inspector General (OIG), City of Baltimore report read. 

Non-Intrusion and Low-Tech Scam

One payment of $721,236.60 was recovered. Another $803,384.44 is yet to be recovered. An insurance claim was filed. Altogether, the scammer diverted $1,524,621.04 from city coffers in the name of a legitimate vendor, but it never reached them.

“On August 8, 2022, the City implemented Workday as its procurement and supplier platform to replace its previous purchasing and invoice systems,” the Inspector General noted in the public synopsis.

A scammer convincingly mimicked a city vendor, intercepting payment communications and bypassing payment controls. What failed first: digital verification or human judgment? This phishing highlights gaps in how supplier authentication is handled.

This is also why hackers are turning to human errors, where AI-based detection tools are tracking and preventing threats rapidly. Human error opened the door, but the absence of enforced verification policies let the scam succeed.

Attackers exploit the same trust-based workflows, like CRM, and unverified phone calls, to deliver financial payloads without breaching a firewall.

Notable Third-Party Breaches Following the Same Pattern

Farmers Insurance experienced a third-party breach via Salesforce, exposing customer records. Likewise, Marks & Spencer suffered a supplier ransomware attack, wiping £750 million off its market value.

In both cases, threat actors targeted the vendor ecosystems. Several major data breaches now stem from vendor or third-party compromises, costing millions. 

Digital ecosystems are growing rapidly. City agencies and global enterprises both rely on Workday, Salesforce, and Oracle, yet attackers succeed in the same mechanism.

Internal Controls and Accountability

The OIG found that three AP employees approved the banking change requests without contacting the real vendor. The fake check was submitted and accepted without challenge. 

The OIG also noted that the city failed to speak directly with law enforcement agencies after learning of the fraud. The investigation revealed a lack of internal policies and procedures in AP regarding supplier verification. The OIG determined that the internal controls established as a result of former OIG investigations were not being utilized at the time of these incidents,” the Inspector General wrote.

A similar vendor-linked incident involving Air France and KLM revealed that attackers accessed customer service data through a third-party CRM provider, highlighting how external access points continue to expose sensitive systems.