According to news reports, the town of Surfside Beach may be one of the latest victims of a business email compromise-type fraud attack. Unfortunately, early reports suggest that the town may have lost over half a million dollars to scammers. South Carolina’s State Law Enforcement Division is actively investigating this incident, so the information we have is limited and unproven, but if true this amount would represent a loss of funds equal to approximately 2.6% of the town’s 2025-2026 budget.
Wildcat Construction was engaged by the town to do some work on its public utilities, and one of its bills, in the amount of $545,598.30, was due for payment. On March 13, 2026, the town indicates it initiated an ACH payment to what they thought was an account belonging to Wildcat, but Wildcat says that it has no such account and that it had requested payment by check. The town released a public statement in which it acknowledged it had “identified a potential cybersecurity incident involving its email environment,” and reported the incident to law enforcement. Details about what exactly may have happened internally at the town level are pretty scant. While SLED is investigating, Wildcat maintains that it has not received the funds, and that it is still entitled to be paid. It is easy to imagine how a scammer might have sent a “spoofed” email to a Town employee, pretending to be an accounts receivable clerk for Wildcat, with a fake set of payment instructions for the Wildcat invoice. The same type of “spoof” attack happens all too often in real estate deals where the closing attorney is gathering invoices and payment instructions. If the Town employee failed to properly verify those payment instructions, then just like the danger of wire fraud in a real estate transaction, the funds could have been sent to a fraudster instead of the correct party.
Data published by the FBI’s Internet Crime Complaint Center, which tracks and reports cyber-crime involving US interests, indicates that both the number of cyber-crimes against, and the amount of property lost by, Americans continues to skyrocket. The IC3 reports that in 2025, it received a total 1,008,597 of cyber-crime complaints for all types of cyber-crime, and it tracked over $20.8 Billion in total losses related to cyber-crimes. The clear indication here is that cyber-criminals are increasing their attacks on our businesses, and are succeeding in stealing more of our money.
This incident is yet another example highlighting the importance of verifying payment instructions with a known, trusted contact. That includes not only the routing/account numbers, but also the form of payment. In this example, Wildcat says it told Surfside they wanted a check, but the payment was made via ACH to an account that Wildcat says it did not provide to the Town.
While the “worst case scenario” impact on Surfside Beach, even if these funds are permanently lost, looks like it would be below 3% of the town’s overall annual budget, the risk to South Carolina lawyers of wire fraud and business email compromise is potentially much more dire. For a small or solo real estate-focused law firm whose annual fee revenues might be closer to the $1,000,000.00-mark, loss of funds for a mortgage payoff could be much higher as a percentage of the firm’s budget. If we assume that a typical mortgage payoff for a SC home might be around $250,000.00, then it’s easy to see how that amount, when targeted by fraudsters, could be a devastating loss for a small firm. And, while this particular example was not a real estate law firm, it demonstrates that the fraudsters are out there actively targeting anyone they think they can, and that no one is immune to their attacks.
Stay vigilant out there, folks!
Let's Talk Dirt 