The City of Baltimore reports that a scammer successfully spoofed a vendor and persuaded staff to change banking details inside a financial system. Two large payments were routed to the impostor. The city recovered one of them, but more than a million dollars was lost before the scheme was discovered. This incident reinforces a familiar pattern in public sector risk. Process gaps, social engineering, and insufficient technical guardrails often converge. The result is financial loss and a hit to public trust.
This post explains how the scam worked, why municipalities remain attractive targets, and how to combine stronger business processes with prevention-first cybersecurity. It also maps those lessons to practical steps and highlights how PC Matic helps local governments reduce risk in the real world.
What Happened, A Quick Walkthrough
Based on the city’s own description, a fraudster impersonated a legitimate company employee, submitted a supplier contact form, and gained access tied to a vendor profile in Workday. The request used a non-company email and spoofed identity. Multiple requests were made to change linked bank accounts. Two staff members approved changes. Accounts payable then sent two large payments to the wrong destination. A bank later flagged suspicious activity, which led to discovery. The city has since said it will tighten verification procedures, restrict permissions, and expand training to spot social engineering.
The mechanics are straightforward. A convincing sender, a plausible business request, and a rushed environment. That is the modern recipe for vendor fraud. The fix is not one thing. It is stronger verification in finance, tighter access controls in the system of record, and cyber controls that reduce the attacker’s room to maneuver.
Why Local Governments Are High-Value Targets
Municipalities manage payrolls, procure critical goods and services, and maintain essential systems. Budgets are public, processes are predictable, and staff often juggle high volumes with limited time. Attackers exploit that reality. They either redirect money through vendor spoofing and business email compromise, or they disrupt services to create leverage for extortion.
The takeaway is simple. Cities and counties must assume adversaries are probing both financial processes and IT systems. Controls must reinforce each other. Verification procedures reduce the chance of a bad change request. Cyber controls reduce the blast radius if an attacker gains any foothold.
The Weak Links, Where Scammers Win
Vendor fraud that changes banking details usually cracks three layers at once.
1 – Human Verification
If a request uses a new email, an unexpected contact, or a hurried tone, a direct confirmation using a known phone number should be mandatory. When that callback does not happen, attackers win.
2 – System Permissions
If anyone can submit a sensitive change and two colleagues can approve it without additional checks, the process is fragile. Restricted roles, least privilege, and dual control for banking updates are essential.
3 – Endpoint and Identity Hygiene
Many vendor fraud schemes begin with a phish. One clicked link can harvest credentials. If malware or unauthorized remote tools can run freely on endpoints, adversaries can plant persistence, bypass multi-factor prompts, or stage automated change requests behind the scenes.
Baltimore’s new commitments after the incident point in the right direction. Cross-verification for bank changes, restricted roles for sensitive updates, and training for staff who handle vendor data are foundational steps that other cities can mirror.
How PC Matic Protects Local Government
PC Matic offers a streamlined, effective allowlisting solution built specifically to meet the needs of organizations with limited cybersecurity staff and high operational risk—including municipal and county governments.
Key Benefits for Local Agencies:
- Default-Deny Allowlisting Model: Only trusted applications are allowed to run, effectively stopping ransomware and unauthorized tools before they execute.
- Centralized Management Console: Cloud-based control allows IT teams to manage allowlists across distributed departments and remote users with minimal overhead.
- Automated Policy Generation: PC Matic simplifies allowlisting by analyzing known-good applications, reducing the manual effort typically associated with policy creation.
- Support for Legacy Systems: Designed to run on Windows 7 and later, making it compatible with older systems still common in public infrastructure.
- Low Resource Footprint: Lightweight agent works alongside existing AV or EDR tools without slowing down endpoints.
- Compliance Alignment: Helps meet requirements in CISA’s Cybersecurity Performance Goals, NIST 800-171/53, and CJIS policies.
PC Matic is made in the USA and used by public sector organizations across the country to block unknown threats, simplify endpoint control, and support Zero Trust initiatives—even without a large SOC team.
The Takeaway for Local Governments
The Baltimore case is another reminder that financial controls and IT security must work together. Policies alone are not enough. Without modern defenses and consistent enforcement, local governments will remain vulnerable to costly fraud and cyberattacks.
PC Matic delivers solutions designed to fill these gaps, helping cities, counties, and agencies protect taxpayer dollars and maintain trust in public institutions.
