A South Carolina county just became the latest cautionary tale in America’s escalating business email compromise epidemic. Laurens County, population roughly 67,000, wired $1,558,288.09 to cyber criminals who spent weeks impersonating one of the county’s own contractors — and the most alarming part is not the dollar amount. It is how ordinary, preventable, and repeatable the attack was.

A lawsuit filed last week on behalf of the county reveals the full mechanics of the fraud: criminals began posing as the contractor on or around December 15, 2025, sent fraudulent electronic funds transfer instructions via email, and watched as county officials dutifully processed four separate payments into a Wells Fargo account the criminals controlled. The payments ran from December 29 through January 13, 2026. The identities of the perpetrators remain unknown. The county is now seeking emergency court relief to trace and recover the funds.

For compliance professionals in local government and public finance, this incident is not a surprise. It is a pattern — one that has played out in county governments, school districts, and municipal agencies across the country with near-identical mechanics and similarly devastating results.

What Happened in Laurens County

The attack followed the classic business email compromise playbook targeting government accounts payable processes:

Phase 1 — Reconnaissance: Criminals identified that Laurens County had an active contractor relationship and learned enough about the relationship — project names, contact names, payment schedules — to send convincing impersonation emails.

Phase 2 — Impersonation: Beginning around December 15, the criminals began communicating with county officials while posing as the legitimate contractor, establishing credibility before making the critical request.

Phase 3 — Fraudulent payment instructions: Criminals sent electronic funds transfer instructions directing the county to route payments to a Wells Fargo account under their control, framed as a routine banking change.

Phase 4 — Collection: County officials processed four payments totaling $1,558,288.09:

DateAmount
December 29, 2025$122,278.76
January 12, 2026$14,647.00
January 13, 2026$611,585.82
January 13, 2026$809,776.51

The fraud was eventually discovered, the county took what it describes as “immediate action” to recall the transfers, and law enforcement was notified. Laurens County Council has since authorized its County Attorney to work with law enforcement and insurance carriers to pursue recovery.

The criminals are still unknown.

This Is Not an Isolated Incident

The Laurens County attack joins a growing ledger of near-identical cases against public sector entities. The scale and frequency of these attacks should dispel any remaining notion that they represent sophisticated, targeted operations. They are industrialized fraud, and local governments are among the preferred targets precisely because their financial controls often lag behind the private sector.

Cabarrus County, North Carolina: Scammers posed as contractor Branch and Associates on a high school construction project, diverting $2.5 million. The county recovered approximately $770,000 — roughly 31 cents on the dollar.

Town of Arlington, Massachusetts: Fraudsters impersonated a vendor on a high school construction project and redirected $445,945 over four monthly payments. The town recovered $3,308 — less than one percent.

Johnson County Schools, Tennessee: Criminals posing as curriculum vendor Pearson successfully redirected $3.36 million in two wire transfers. Recovery reached $742,000 after sustained law enforcement effort.

The construction and infrastructure sector appears repeatedly in these cases — not coincidentally. Large construction contracts involve irregular, large payments that are normal for the relationship, making fraudulent invoices harder to flag. Payment amounts vary significantly from project to project. And the payment change request (“we’ve switched banks — please update your records”) is a routine administrative event that finance staff process without suspicion.

The FBI’s Internet Crime Complaint Center reported approximately $2.77 billion in BEC losses in 2024 alone — the second-largest category of cybercrime losses behind investment fraud. That figure captures only reported incidents; the actual number is substantially higher.

The Compliance Failures That Made This Possible

Every BEC attack against a government entity involves at least one of the same underlying control failures. The Laurens County incident, based on available information, likely involved several:

1. No Out-of-Band Verification for Vendor Payment Changes

This is the single most important control that would have prevented this attack. When a vendor requests a change to banking or payment information, the verification call must happen through an independently obtained phone number — not a number provided in the email requesting the change, and not a number in the email signature of the suspicious message.

The Government Finance Officers Association (GFOA) is explicit on this point: organizations must verify vendor payment changes by calling the vendor using previously known contact information. The verification must be out-of-band — meaning it must occur through a channel completely separate from the email that initiated the change request.

If a Laurens County employee had called the actual contractor using a number from a prior invoice or the county’s vendor master file, the fraud would have ended before the first payment was processed.

2. No Multi-Level Approval for Payment Instruction Changes

Standard financial controls require that changes to vendor payment information receive supervisory review and approval before being entered into payment systems. In most government settings, this means the change form requires a manager’s sign-off and, for significant vendors, a second independent verification.

The four payments in this case — ranging from $14,647 to $809,776 — should each have triggered review thresholds. The January 13 payment of $809,776 alone represents a substantial public expenditure that should have required multiple approvals under any reasonable internal control framework.

3. Inadequate Email Authentication Infrastructure

BEC attacks succeed partly because email spoofing remains trivially easy for many organizations. Three email authentication standards exist precisely to prevent impersonation:

  • SPF (Sender Policy Framework): Specifies which mail servers are authorized to send email from a domain
  • DKIM (DomainKeys Identified Mail): Cryptographically signs emails to verify they haven’t been tampered with
  • DMARC (Domain-based Message Authentication, Reporting and Conformance): Tells receiving mail servers what to do when SPF and DKIM checks fail — and critically, provides reporting so organizations can see impersonation attempts

CIS Control 9 (Email and Web Browser Protections) requires all three. CISA has repeatedly identified DMARC enforcement at “reject” policy as a foundational email security control. Yet a significant number of county and municipal government domains either lack DMARC entirely or have it set to “none” — meaning it monitors but takes no protective action.

A contractor impersonation attack often involves either spoofing the contractor’s domain (sending from a lookalike address) or compromising the contractor’s actual email account. Proper DMARC implementation on both the county’s domain and the contractor’s domain would significantly complicate either approach.

4. No Vendor Banking Change Policies in Writing

GFOA recommends that organizations maintain explicit, written procedures for how vendor payment information changes are processed, who is authorized to request them, how they must be submitted, and what verification steps are required before any change takes effect. These procedures should be communicated to vendors so they know what to expect — and so that any attempt to deviate from normal procedure raises an immediate flag.

When these procedures exist only as informal practice rather than documented policy, they erode over time, are not consistently applied, and provide no accountability trail when things go wrong.

5. No Financial Controls Training Specific to BEC

CISA and FBI guidance both identify accounts payable staff, finance directors, and anyone with authority to change vendor payment information as high-risk targets requiring specific, recurring training on BEC tactics. Generic cybersecurity awareness training is insufficient. Staff must be trained to recognize the specific social engineering patterns used in vendor impersonation attacks — including the “we’ve updated our banking information” email, the urgent payment request, and the follow-up pressure call.

The Recovery Problem

The county’s lawsuit seeks expedited discovery and emergency relief to trace the flow of funds. This is the right response — but the statistics are sobering.

The FBI’s Recovery Asset Team achieved a 71% rate of freezing fraudulent transfers in 2023. However, freezing funds is not the same as recovering them. Once money has moved through a domestic bank into an overseas account, or been converted to cryptocurrency, practical recovery becomes extremely difficult regardless of legal action.

The recovery data from comparable cases tells the story:

  • Arlington, Massachusetts: 0.7% recovered
  • Cabarrus County: 31% recovered
  • Johnson County Schools: 22% recovered

The window for successful intervention is narrow. FBI guidance emphasizes that reports within 24 hours of transfer authorization offer the best recovery odds. Reports within 72 hours still offer meaningful prospects. Beyond that, recovery depends heavily on how quickly the receiving bank moved the funds and whether international transfers are involved.

Laurens County’s lawsuit indicates “immediate action” was taken after the fraud was discovered — but the gap between the first payment on December 29 and whatever triggered discovery is unknown. The January 13 payments, representing $1.42 million of the total loss, suggest the fraud ran for at least two weeks before detection.

The Insurance Problem

Counties and municipalities often assume their cyber insurance or crime insurance will cover BEC losses. This assumption is frequently wrong, and the Laurens County council’s decision to work with “insurance carriers” suggests this issue is already in play.

BEC losses occupy an uncomfortable middle ground in insurance coverage. Standard cyber policies are designed for system compromises — ransomware, data breaches, network intrusions. BEC attacks typically do not involve unauthorized system access; an authorized employee willingly processes the payment. Many insurers exploit this distinction to deny coverage under cyber policies.

Crime policies and commercial crime coverage may apply — but many contain “authorized transfer” exclusions that deny coverage when an authorized employee made the transfer, even if fraudulently induced. Social engineering fraud endorsements, which many insurers now offer as separate coverage, often come with sublimits far below actual BEC losses and may require proof that specific verification procedures were followed as a condition of coverage.

The practical lesson: organizations that have not specifically reviewed their policies for BEC coverage, and confirmed that required verification procedures are both documented and followed, may discover at the worst possible moment that they are uninsured for exactly this type of loss.

What the Regulatory Framework Requires

Local governments in South Carolina operate under the State Fiscal Accountability Authority (SFAA) and are subject to state auditing standards for county financial officers. While South Carolina does not currently have a prescriptive cybersecurity mandate specifically for county governments comparable to what financial institutions face under the FTC Safeguards Rule, the applicable frameworks are clear.

NIST Cybersecurity Framework 2.0 — adopted as a best-practice standard by CISA for state and local governments receiving federal grants and programs — addresses BEC prevention across multiple functions:

  • Govern: Establish organizational cybersecurity policies including vendor payment change procedures
  • Protect: Implement email authentication (SPF/DKIM/DMARC), access controls, and security awareness training
  • Detect: Monitor for anomalous payment activity and email impersonation attempts
  • Respond: Maintain documented incident response procedures including immediate escalation for suspected BEC

CIS Controls v8 provides more prescriptive guidance. Control 9 (Email and Web Browser Protections) specifically addresses the email authentication stack required to prevent impersonation. Control 6 (Access Control Management) addresses segregation of duties in payment processing. Control 14 (Security Awareness and Skills Training) addresses the human factor that BEC exploits.

Neither framework is legally mandatory for South Carolina counties. Both would have materially reduced the likelihood of this attack succeeding.

A Checklist for Local Government Finance Departments

The Laurens County incident provides a precise map of what to fix. Every county, municipality, and school district finance department should verify the following:

Vendor Payment Change Controls

  • Written policy exists for how vendor banking changes are processed
  • Policy requires out-of-band verification via independently sourced phone number
  • Policy prohibits verifying changes through contact information provided in the change request
  • Changes require supervisory approval before entry into payment systems
  • All vendor changes are logged with verification documentation

Payment Authorization Controls

  • Payment thresholds exist that trigger additional approval requirements
  • Segregation of duties separates who can change vendor info from who can authorize payments
  • New or recently changed vendor banking information is flagged in payment systems

Email Security

  • SPF records are configured and valid for all county email domains
  • DKIM is enabled on outbound email
  • DMARC is configured at minimum “quarantine” policy, ideally “reject”
  • Staff are trained to check sender email addresses carefully, especially for payment-related communications

Training

  • Finance and accounts payable staff receive annual BEC-specific training
  • Training covers the vendor banking change scam specifically
  • Staff know the escalation procedure if a suspicious payment change request is received

Insurance Review

  • Cyber and crime policies have been reviewed specifically for BEC/social engineering coverage
  • Social engineering fraud endorsement is in place if not covered under primary policy
  • Coverage sublimits are adequate relative to typical payment amounts
  • Policy conditions (verification procedures) are documented and followed

Incident Response

  • Incident response plan includes a BEC/wire fraud scenario
  • Finance staff know to immediately contact the sending bank’s fraud line if a suspicious transfer is discovered
  • FBI IC3 reporting process is known and accessible
  • 24-hour escalation path is established for suspected BEC

The Broader Pattern: Government as Preferred Target

Local governments face a structural disadvantage in defending against BEC. Finance staff are typically small teams handling large payment volumes. Procurement and construction contracts — exactly the type targeted in the Laurens County case — involve irregular large payments that are difficult to benchmark against a “normal” pattern. Staff turnover means institutional knowledge of vendor relationships degrades over time. And unlike large corporations, counties rarely have dedicated security operations centers monitoring for anomalous payment activity.

Criminals are acutely aware of these vulnerabilities. The 360% increase in phishing attacks against state and local government entities reported between 2023 and 2024 reflects deliberate targeting, not coincidence. South Carolina’s FBI field office has reported $40.8 million in BEC losses statewide — a figure that almost certainly understates actual losses given significant underreporting.

The Laurens County case will eventually become a footnote in the IC3’s annual statistics. For the county’s residents and taxpayers, it is a $1.558 million lesson in what happens when internal financial controls do not keep pace with the sophistication of the threats targeting them.

Conclusion: Prevention Is the Only Realistic Strategy

The research on BEC recovery is unambiguous: prevention is the only reliable strategy. Once funds have been transferred, particularly once they have moved through the initial receiving account, recovery is uncertain at best and often negligible.

The controls that would have prevented the Laurens County fraud are not novel, expensive, or technically complex. Out-of-band vendor verification costs nothing but a phone call. DMARC implementation is a one-time configuration task. A written policy requiring dual approval for vendor banking changes is an afternoon of documentation work.

What these controls require is organizational attention — and leadership that treats financial cybersecurity as a core operational function rather than an IT department concern. BEC attacks succeed not because they defeat sophisticated security systems, but because they exploit the gap between how county finance departments are told to operate and how they actually operate on any given Tuesday afternoon when someone receives a routine-looking email about updated banking information.

Laurens County is working with law enforcement and its insurance carriers. Some portion of $1.558 million may eventually be recovered. The criminals remain unknown. And somewhere in another county finance office, another routine-looking email about updated payment instructions just arrived in someone’s inbox.

This article is provided for informational purposes only and does not constitute legal advice. Organizations should consult with qualified legal counsel and cybersecurity professionals regarding their specific compliance obligations.