A sophisticated scammer exploited vulnerabilities within
’s Department of Accounts Payable (AP) to steal more than $1.5 million, marking the third such incident in the city since 2019. By posing as a legitimate vendor, the fraudster manipulated city staff into redirecting two large payments—totaling $1,524,621.04—into a fraudulent bank account. This incident serves as a stark reminder of the financial risks posed by weak internal controls and a failure to implement robust fraud prevention protocols.
The scheme began in December 2024 when the fraudster, using a spoofed email, gained access to the vendor’s Workday account. Posing as an employee of the vendor, the scammer submitted a fraudulent supplier form to the city’s AP department. An AP employee, without proper verification, approved the form despite having incorrect details. This initial breach set the stage for the rest of the scam. Over the next month, the fraudster repeatedly attempted to change the vendor’s bank details, even submitting a fake voided check in a persistent effort to reroute payments…