It Happened Two Hours Away — And It Could Happen to You

On February 11, 2026, officials in Carolina Beach, North Carolina announced that hackers stole nearly $488,000 from the town in two separate cyberattacks that occurred in December 2025. The FBI is involved, the investigation has international scope, and the town’s cyber insurance will only cover $25,000 of the loss.

This isn’t a story from some faraway place. Carolina Beach is a two-hour drive from our office. The attackers who targeted them are the same threat actors targeting small businesses and municipalities across North Carolina — including right here in Clayton and the surrounding area.

Let’s break down what happened, what likely went wrong from an IT security perspective, and most importantly, what you can do to make sure your business doesn’t become the next headline.

What We Know About the Carolina Beach Cyberattack

Here’s what town officials and news reports have confirmed:

The damage: Hackers stole exactly $487,994.80 from the Town of Carolina Beach across two separate attacks in December 2025.

The investigation: The Carolina Beach Police Department worked with the FBI to investigate. They determined the attacks are connected to an ongoing federal investigation in another state and are international in scope — meaning this wasn’t some amateur hacker in a basement. This was organized cybercrime.

The painful irony: Before the attacks occurred, the North Carolina National Guard had already conducted a cybersecurity vulnerability review of the town’s systems amid a surge in attacks on government agencies. They knew they had vulnerabilities. They still got hit.

The insurance gap: The town carries both crime insurance and cyber insurance. Combined coverage? Only $25,000. That leaves a gap of over $463,000 that taxpayers may have to absorb.

The response: The Town Council has since adopted new security policies based on recommendations to reduce the risk of future attacks. They’re also working with their IT provider, law enforcement, and cybersecurity experts to improve protections going forward.

What Likely Happened: An IT Security Perspective

While officials haven’t disclosed the exact attack method, the details paint a clear picture. Two separate attacks, both resulting in stolen funds (not ransomware or data theft), with FBI involvement and international scope — this has all the hallmarks of Business Email Compromise (BEC) or vendor payment fraud.

Here’s how these attacks typically work:

Scenario 1: Business Email Compromise

Attackers gain access to email accounts — either the victim’s or a trusted vendor’s. They monitor communications to understand payment schedules and relationships. Then, at the perfect moment, they send an email that appears to come from a legitimate source requesting a wire transfer or payment change. The email looks real because it is coming from a real account. By the time anyone realizes what happened, the money is gone — usually to overseas accounts that can’t be recovered.

Scenario 2: Vendor Impersonation

Attackers research the organization’s vendors (often using publicly available information like budget documents and meeting minutes). They create convincing fake invoices or send emails claiming the vendor’s banking information has changed. The victim pays the invoice, but the money goes to the attacker instead of the real vendor.

Scenario 3: Credential Theft Leading to Direct Access

A phishing email tricks an employee into entering their credentials on a fake login page. With those credentials, attackers access financial systems directly and initiate wire transfers themselves.

The fact that there were two separate attacks in the same month suggests the attackers either found multiple vulnerabilities or the first attack wasn’t detected quickly enough to prevent the second.

Why Small Businesses and Municipalities Are Prime Targets

You might think cybercriminals only go after big corporations with deep pockets. The reality is exactly the opposite. Small businesses, local governments, and municipalities are preferred targets because:

Limited IT resources: Most small organizations don’t have dedicated cybersecurity staff. They rely on general IT support that may not specialize in threat detection or incident response.

Publicly available information: Government budgets, vendor contracts, and staff directories are often public record. Attackers use this information to craft convincing fraud attempts.

Pressure to pay quickly: Small organizations often process payments quickly to maintain vendor relationships, leaving less time to verify unusual requests.

Outdated systems: Budget constraints mean older software, unpatched systems, and legacy equipment that’s easier to exploit.

Lack of verification procedures: Without formal processes for verifying payment changes or large transfers, a single compromised email can lead to massive losses.

The Insurance Wake-Up Call

One of the most sobering details from the Carolina Beach incident is the insurance coverage. The town had both crime insurance and cyber insurance — and the combined coverage was only $25,000 against a loss of nearly $488,000.

This is unfortunately common. Many cyber insurance policies have:

• Low coverage limits that don’t reflect actual potential losses
• Exclusions for certain types of attacks (especially social engineering fraud)
• Requirements for specific security controls that, if not implemented, void coverage
• Waiting periods before coverage kicks in

If you have cyber insurance, when was the last time you actually read the policy? Do you know what’s covered and what isn’t? Do you meet all the security requirements the policy mandates?

Lessons for Small Businesses

The Carolina Beach attack offers several critical lessons for every small business owner in Clayton, Smithfield, Selma, and throughout the triangle:

1. Assessments Without Action Are Worthless

The National Guard reviewed Carolina Beach’s cybersecurity vulnerabilities before the attack. But a review only identifies problems — it doesn’t fix them. If you’ve had a security assessment done but haven’t implemented the recommendations, you’re not protected. You just have a document that proves you knew about the risks.

2. Email Security Is Non-Negotiable

The vast majority of cyberattacks start with email. Implementing proper email security isn’t optional anymore — it’s essential:

• Enable multi-factor authentication (MFA) on all email accounts
• Use email filtering that detects phishing and impersonation attempts
• Implement DMARC, DKIM, and SPF records to prevent email spoofing
• Train employees to recognize suspicious messages

3. Payment Verification Procedures Save Money

Every business should have written procedures for verifying payment requests, especially:

• Any request to change vendor banking information
• Wire transfers over a certain threshold
• Urgent or unusual payment requests
• Requests that bypass normal approval processes

The verification should happen through a separate channel — if you receive an email requesting a payment change, call the vendor at a number you already have on file (not one from the email) to confirm.

4. Your Insurance May Not Save You

Review your cyber insurance policy carefully. Understand your coverage limits, exclusions, and requirements. Consider whether your current coverage reflects your actual risk. A $25,000 policy against potential six-figure losses isn’t really protection — it’s a false sense of security.

5. Detection Speed Matters

Two attacks in one month suggests the first attack wasn’t detected quickly enough. The faster you identify a breach, the faster you can contain it and prevent additional damage. This requires:

• Active monitoring of financial transactions
• Alerts for unusual account activity
• Regular review of email rules and forwarding settings
• Employee training to report suspicious activity immediately

What You Can Do Right Now

Don’t wait until you’re the next headline. Here are immediate steps every Johnston County business can take:

This week:

• Enable multi-factor authentication on all email and financial accounts
• Review who has access to initiate payments or transfers
• Verify your cyber insurance coverage and exclusions

This month:

• Implement written procedures for verifying payment changes
• Conduct phishing awareness training for all employees
• Review your email security settings and filtering rules

This quarter:

• Get a professional security assessment — and actually implement the findings
• Test your incident response: do you know who to call if something happens?
• Review vendor access and third-party connections to your systems

Don’t Become the Next Statistic

The FBI reported $16.6 billion in cybercrime losses in 2024, with business email compromise alone accounting for $2.7 billion. Attacks on small businesses and local governments continue to surge. The criminals who hit Carolina Beach are still out there, and they’re looking for their next target.

The question isn’t whether your business will be targeted — it’s whether you’ll be ready when it happens.

Get a Free Security Assessment

At Pendergrass Consulting, we help Johnston County businesses identify vulnerabilities before attackers do. Our security assessments evaluate your email security, payment procedures, access controls, and overall cyber hygiene — and we provide clear, actionable recommendations you can actually implement.

Don’t wait until you’re explaining a six-figure loss to your accountant, your insurance company, and your customers. Contact us today for a free initial consultation and find out where your business stands.

Pendergrass Consulting provides IT security and computer support services to businesses throughout the triangle and the county.