Baltimore’s Department of Finance fell for one of the oldest tricks in the book of internet fraud: falsified bank details on an emailed invoice that was then processed for payment.
By blindly accepting an altered electronic funds transfer form, the city was drained of $62,377.50 by a scammer who channeled the money to a personal bank account, then pocketed the cash from an ATM machine.
The scheme lasted for two months in 2019 until the Finance Department acknowledged that the vendor due the money hadn’t received it, a report issued by Inspector General Isabel Mercedes Cumming notes.
It took another year to unravel the scheme and identify the culprit.
That person was not named in yesterday’s report, but has been identified by The Brew after a review of Baltimore District Court warrants.
The records show that an arrest warrant was issued against Funmilayo Fatimat Akinsola, 29, for multiple counts of forgery and theft by the State of Maryland on August 6, 2020.
A former resident of Greenbelt, Md., Akinsola now reportedly lives in Texas, where she has avoided extradition to Maryland because her alleged crimes do not rise to the level of a felony that requires the arrest and return of a fugitive.
The scam began in April 2019 when a clerk at the Bureau of Accounting & Payroll Services (BAPS) received an electronic request to reroute payments due to a longstanding vendor to a new Wells Fargo bank account.
The clerk made the changes in the CityDynamics Billing platform, including adding the scammer’s name as the “point of contact,” without any review or confirmation from the vendor that the request was legitimate.
“At the time of the change, the audit function in Dynamics was not active,” Cumming said, leaving it unclear who made the changes and what they were.
When the real vendor complained it wasn’t getting paid, the system showed the funds were being transferred, and BAPS counseled patience.
Meanwhile, two payments, totaling over $62,000, were made to the fraudulent Wells Fargo account, which were quickly withdrawn by the robber.
After the OIG was called in to investigate, weeks passed before the employee who changed the payment forms was identified. “Everyone was pointing fingers,” a source in city government said.
There was no evidence that the employee (since terminated) was aware of the fraud or was a participant, the report says. Nor did Akinsola ever work for the city or the vendor.
Instead, the scammer simply seized upon the weak controls of Baltimore’s electronic payment system.
In response to Cumming’s findings, Finance Director Henry Raymond said his department has stepped up supervisory reviews and sign-offs of vendor payments.
But he warned that the payment system is still vulnerable because its audit feature cannot be activated without the risk of a system crash.
“We are keenly aware of the system limitations to date and acknowledge we won’t be able to provide complete assurance until the new Workday system is in place next year.”
“Until the new system implementation occurs,” Raymond continued, “BAPS will employ a manual, periodic audit/review process by running a monthly report of any system changes to vendor account data.”
A deputy bureau chief will be responsible for double checking the data to guard against future fraud, he said.
In the case of this heist, the vendor was eventually paid, Cumming said, and the full amount of the stolen funds was covered by insurance.