Between February and March 2025, someone managed to trick Baltimore City into sending $1.5 million in payments to the wrong bank account. The scammer pulled off a classic "business email compromise" - essentially pretending to be someone they weren't to redirect money meant for a legitimate city vendor.

The city lost over $803,000 when a fraudster diverted two electronic fund transfer payments, though $721,236 was later recovered. Unfortunately, Baltimore is still out the remaining $803,384, which they've filed an insurance claim to try to recover.

In December 2024, the criminal submitted a fake "supplier contact form" to gain access to a legitimate vendor's account in Baltimore's payment system called Workday. They pretended to be an employee of the vendor company, using that person's real name but a fake email address.

On December 11, 2024, a Baltimore accounts payable employee reviewed the fake form and approved it without double-checking. The employee added the fraudster to the vendor's account, giving them access to change important financial information.

Once inside the system, the fraudster worked for months to change where the vendor's payments would go. They submitted fake documents, including a fraudulent voided check, to redirect payments from the real vendor's bank account to their own account at a different bank.

By February 2025, the fraudster had successfully changed the vendor's banking information in the city's system. When Baltimore made its regular payments to the vendor - two payments totaling over $1.5 million - the money went straight to the criminal's account instead.

The Baltimore Inspector General's investigation found several warning signs that city employees overlooked:

• The fraudster used a personal email address instead of the vendor company's official email

• Some of the vendor information provided by the fraudster was actually incorrect

• The real employee being impersonated had no role in the company's finances

• No one called the vendor to confirm the identity of the person requesting account changes

Unfortunately, Baltimore has encountered similar BEC attacks before. The Inspector General's report references incidents in 2020 and 2022, indicating ongoing difficulties with such scams. The city has also endured major cyber attacks, notably a severe ransomware incident in 2019 that significantly disrupted city services.

The investigation revealed several critical problems with Baltimore's payment processes:

No Verification Requirements: City employees weren't required to call vendors to confirm identity changes or account modifications.

Missing Documentation: The city failed to maintain lists of authorized signers for vendor accounts, rendering it impossible to verify who was permitted to make changes.

Weak Policies: The accounts payable department's policies didn't clearly explain how to verify account changes, leaving employees to figure it out on their own.

Poor Communication: When the fraud was discovered, it took six days for the Inspector General's office to be notified, and even longer to properly contact law enforcement.

This week, Baltimore's Inspector General issued a report recommending enhanced internal controls to prevent future fraud. However, the report highlights that the city has not yet implemented the proposed controls from past incidents.

Preventing these attacks is not difficult, and people need to be held accountable for failing to implement the controls.

Read the full report: https://htv-prod-media.s3.amazonaws.com/files/25-0028-i-f-68af5e21ab0d8.pdf

Asking for a friend, of course…

A reader inquired of 'The Moneyist', advice columnist Quentin Fottrell, whether the IRS would permit a $60,000 write-off if the funds were lost to a romance scam. They claimed to be asking for a 'friend.' To their credit, the writer acknowledged that the money transfers were voluntary, and the bank was not at fault.

The bank did try to stop them from executing the transfers, but this person believed it was true love. No recourse back to the bank, as the wire transfers were willingly executed.

Well, can you get a tax write-off for being scammed?

https://www.marketwatch.com/story/im-asking-for-a-friend-will-the-irs-write-off-60-000-lost-in-a-romance-phishing-scam-7d3a3abd

Waiting by the phone

The Pennsylvania Attorney General acknowledged the office is suffering from a ransomware attack. I’ve long offered to come work cybercrime investigations for the office (joking, not joking), but it seems like they are more in need of my cybersecurity awareness training, and maybe a review of their network.

AG Sunday, your people can contact my people.

https://www.attorneygeneral.gov/taking-action/attorney-general-sunday-provides-latest-developments-on-outside-interruption-that-impacted-oag-servers/

Share Threats Without Borders

The News…

Anthropic, the developer of the Claude chatbot, has introduced a major policy change on user data management. From now on, users are automatically enrolled in data training for their chatbot interactions unless they choose to opt-out by September 28th. This update impacts all users across Claude's Free, Pro, and Max plans, and will extend data retention from the usual 30 days to as long as five years. The move has sparked notable cybersecurity concerns, given the increased data storage duration and the higher risk of data breaches. https://www.perplexity.ai/page/anthropic-reverses-privacy-sta-xH4KWU9nS3KH4Aj9F12dvQ

A former U.S. Postal Service inspector has been arrested and charged with wire fraud, mail fraud, and money laundering, among other charges. He is accused of stealing nearly $340,000 in cash from the mail to cover personal expenses such as pool upgrades, travel, and escorts. The man allegedly exploited his position to intercept packages and steal cash from victims, as well as misappropriated access to an evidence vault and locker to take money. https://www.wcvb.com/article/ex-usps-inspector-theft-massachusetts-scott-kelley/65935019

Microsoft is monitoring Storm-0501, a financially motivated threat actor that has been evolving its tactics to target cloud-based ransomware. The group compromises on-premises systems, seizes control via Active Directory, and then pivots to Microsoft Entra ID to escalate privileges and access cloud identities. They exploit cloud-native features to quickly exfiltrate data, delete backups, and demand ransoms without traditional malware. The group is skilled in moving seamlessly between on-premises and cloud environments, adapting to hybrid cloud setups, and avoiding detection by targeting unmanaged devices and security vulnerabilities. https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/

This shouldn’t turn out badly, right? Across the country, 911 emergency call centers are so understaffed that they are turning to AI to help ease the workload. https://techcrunch.com/2025/08/27/911-centers-are-so-understaffed-theyre-turning-to-ai-to-answer-calls/

Hackers are targeting American industrial and tech firms by using fake "Contact Us" forms on company websites to deliver malware disguised as non-disclosure agreement files. The attackers maintain a long-term conversation with victims, posing as potential business partners, before sending a contract in a ZIP archive hosted on Heroku, which contains custom malware dubbed MixShell. https://research.checkpoint.com/2025/zipline-phishing-campaign/

A cyber incident detected on August 12 compromised data managed by the Lycoming County (Pennsylvania) Department of Public Safety, including driver’s license numbers. The county did not release specific details about the attack. Again, someone in Lycoming county can call me for user awareness training. https://www.pennlive.com/news/2025/08/cyber-incident-impacts-data-held-by-public-safety-department-in-pa-county.html

The FBI and Dutch Police shut down VerifTools, a marketplace for fraudulent identity documents, seizing servers in Amsterdam. The site facilitated the purchase of fake documents used in various fraudulent activities. The FBI bought counterfeit New Mexico driver’s licenses from the VerifTools marketplace using cryptocurrency, which ultimately helped them identify $6.4 million in illegal proceeds. https://www.justice.gov/usao-nm/pr/us-government-seizes-online-marketplaces-selling-fraudulent-identity-documents-used

Excellent threat intelligence here - Social engineering attacks are increasingly exploiting Microsoft Teams through direct messages or calls to impersonate trusted contacts and deliver malicious payloads. Threat actors often pose as IT support within Teams, using familiar display names and emojis to gain trust. This article examines a campaign where Teams is used to spread a PowerShell-based payload, offering indicators of compromise for detection and response. https://permiso.io/blog/sliding-into-your-dms-abusing-microsoft-teams-for-malware-delivery

Great, another year of free credit monitoring. TransUnion, one of the credit reporting agencies, experienced a data breach that exposed the personal information of more than 4.4 million people in the United States. The breach, identified on July 30, 2025, was traced to a compromised Salesforce account. https://www.bleepingcomputer.com/news/security/transunion-suffers-data-breach-impacting-over-44-million-people/

Feedback

Feedback on last week’s Extra:

I appreciate your effort but holy hell just give me the link. - Jim

Matt, try this “Hey ChatGPT, summarize this PDF into the main points”. AF

Dennis came in late with a response to the home title fraud series:

Hey Matt, I’m following up on the Home Title Theft question. I’ve only dealt with 2 cases in the past 5 years, but I think it’s more prevalent back East. It doesn’t seem to be as hard as you would think since much of the process can be done online. In both cases the property was vacant. David Fleck and others have been putting out some good information on the topic in the Mortgage Fraud Taskforce.

IAFCI members can access the Mortgage Fraud Taskforce conversations at https://iafci.mobilize.io/main/groups/39586/lounge

Send feedback to matt [@] threatswithoutborders.com

Cool Job

Senior Special Investigator - Panda. https://olivia.paradox.ai/co/PandaRestaurantGroup2/Job?job_id=P1-2095718-1

Financial Crimes Crypto Risk Manager - Fifth Third Bank. https://fifththird.wd5.myworkdayjobs.com/en-US/53careers/job/Charlotte-NC/Financial-Crimes-Crypto-Risk-Manager_R60771

Cool Tool

The Python tool “Tookie-Osint”, discovers usernames across websites with an 80% success rate. https://github.com/Alfredredbird/tookie-osint

Skip the damn chatbot, get a human on the phone. https://gethuman.com/

Irrelevant

A beautiful river and sometimes, trains. Live. https://www.srbc.gov/susquehanna-rivercam-live.html

Sign Off

Issue 250. Yep, I’ve published a newsletter every Tuesday for 250 straight weeks. I may not write the best newsletter on the Substack network, but I’m certainly one of the most consistent. Yet, they still won’t promote me. Alas, I appreciate every one of you who show up every week! Especially those who share the newsletter with friends and colleagues.

See you next Tuesday.

Matt

“WORK HARD TODAY SO YOU CAN BE LAZY TOMORROW.”

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.

cybersecurity financial crime investigations fraud aml osint cybercrime