Westminster, South Carolina: Small City Hit by Cyber Attack Refuses to Disclose Amount Stolen

A Business Email Compromise attack likely behind financial losses as municipal cybersecurity crisis deepens nationwide

The City of Westminster, South Carolina discovered on Wednesday, December 11, 2025, that portions of its information technology systems had been compromised in a cyber attack that resulted in the theft of public funds. While city officials confirmed the financial loss, they have refused to disclose the exact amount stolen, citing the ongoing investigation.

The Westminster Police Department was immediately notified and requested assistance from both the South Carolina Law Enforcement Division (SLED) and the Federal Bureau of Investigation (FBI). According to city officials, measures have since been implemented to protect against future attacks, and at this time, they believe no utility customer data, financial information from online payment portals, city personnel records, or other personal data was compromised.

Despite the loss of public funds, Westminster officials assured residents and contractors that all payments to staff, vendors, and creditors would continue as scheduled. Public safety and utility operations remain minimally impacted by the incident.

The Silent Theft: Business Email Compromise Suspected

While Westminster officials haven't disclosed specifics about the attack methodology, the characteristics strongly suggest a Business Email Compromise (BEC) attack—the most financially destructive form of cybercrime currently targeting municipalities across the United States.

BEC attacks accounted for 73% of all reported cyber incidents in 2024, according to the FBI's Internet Crime Complaint Center, with cumulative losses exceeding $55 billion over the past decade. Unlike ransomware attacks that lock systems and demand payment for restoration, BEC schemes are more insidious—they exploit trust and manipulate legitimate payment processes to redirect funds to attacker-controlled accounts.

In South Carolina specifically, business email compromises resulted in losses of $40.8 million in 2024, up from $30.6 million in 2023—making it the top cyber crime by financial loss in the state.

How BEC Attacks Target Municipalities

BEC attacks against local governments typically follow a familiar pattern:

1. Reconnaissance Phase: Attackers study the municipality's payment processes, vendor relationships, and staff hierarchy through public records, social media, and potentially compromised email accounts.
2. Social Engineering: The attackers craft convincing fraudulent emails that appear to come from legitimate sources—either by spoofing email addresses or compromising actual accounts through phishing.
3. Payment Diversion: At a strategic moment (often during busy periods or when key personnel are traveling), attackers send requests to change banking details for upcoming payments or urgent wire transfers.
4. Execution: Without adequate verification processes, finance staff redirect legitimate payments to attacker-controlled accounts.

According to Massachusetts municipal cybersecurity briefings, common BEC attacks against municipalities include procurement fraud, vendor payment manipulation, and payroll diversion schemes. In June 2024, the Town of Arlington, Massachusetts lost nearly half a million dollars when scammers hijacked a construction invoice thread and redirected four payments. In Australia, a New South Wales government department wired AU $2.1 million to criminals posing as a trusted vendor.

The average financial loss per successful BEC wire fraud reaches $286,000, according to incident response data—though some attacks have netted significantly more.

The Transparency Void: Why Won't Westminster Disclose the Amount?

Westminster's refusal to disclose the amount stolen is not unusual but raises important questions about public transparency during cybersecurity incidents. Law enforcement typically advises against releasing specific details during active investigations to avoid compromising their ability to track and potentially recover stolen funds.

However, this creates a transparency dilemma. Citizens have a right to know how their tax dollars are being managed, particularly when public funds are stolen. The lack of disclosure can fuel speculation and undermine public trust—the very outcome BEC attacks aim to achieve beyond just financial theft.

Historical precedent suggests the amount could range anywhere from tens of thousands to several million dollars. Without additional context about Westminster's annual budget, vendor payment volume, or the specific departments affected, accurate estimation is impossible.

South Carolina's Growing Cyber Threat Landscape

Westminster's attack is part of a broader pattern of cyber incidents targeting South Carolina municipalities and organizations:

Recent South Carolina Cyber Incidents:

• Summerville (July 2024): Ransomware attack on town systems serving 50,000 residents; officials initially claimed no data compromise, though investigations continued
• SRP Federal Credit Union (September-November 2024): 240,000+ people affected by data breach exposing names, Social Security numbers, driver's licenses, and financial information
• School District Five of Lexington and Richland Counties (2024-2025): Data breach causing staff pay delays and system disruptions
• Greenville Water (July 2025): "International cyberattack" disrupted online payment systems for nearly 500,000 residents

South Carolina residents reported $146 million in losses to cybercrime in 2024—a $27 million increase from 2023—ranking the state 22nd nationally for reported internet crimes. People over 60 suffered the most severe financial losses at $58.5 million.

The state has struggled with cybersecurity for over a decade. In 2012, the South Carolina Department of Revenue suffered one of the largest data breaches in U.S. history when hackers stole 3.6 million Social Security numbers and nearly 400,000 credit and debit card numbers. That investigation remains technically open more than 10 years later, with questions still lingering about whether the state paid ransom to the attackers.

The National Municipal Cybersecurity Crisis

Westminster joins hundreds of U.S. municipalities that have fallen victim to cyberattacks in recent years. The challenge is particularly acute for small and mid-sized cities that often lack dedicated cybersecurity staff, sophisticated security infrastructure, and the budget to implement comprehensive defenses.

According to the National Cyber Director's May 2024 report on U.S. cybersecurity posture, "ransomware groups have built a business model around targeting schools, hospitals, small businesses, and many others ill-equipped to defend themselves."

Notable 2024 Municipal Cyber Attacks Nationwide:

• Columbus, Ohio: Widespread service disruptions requiring government office closures
• Jefferson County, Kentucky: Cybersecurity incident disabled multiple county services
• London Borough Councils (Westminster, Kensington & Chelsea, Hammersmith & Fulham, UK): Shared IT system breach affecting all three councils, with sensitive personal data stolen (November 2024)

The problem extends beyond just technical vulnerabilities. Many successful BEC attacks exploit human psychology rather than software flaws—they work because they manipulate trust, urgency, and authority in ways that technical controls cannot prevent.

Why BEC Attacks Are Particularly Effective Against Government

Municipal governments present attractive targets for BEC attacks for several reasons:

1. Complex Payment Ecosystems: Cities manage payments to hundreds of vendors, contractors, consultants, and service providers, creating numerous opportunities for payment diversion.

2. Limited Cybersecurity Resources: Small cities often lack dedicated IT security staff or have small teams managing complex infrastructure across multiple departments.

3. High Staff Turnover: Municipal finance departments often experience turnover that creates knowledge gaps about proper verification procedures.

4. Reliance on Email for Business Processes: Despite known vulnerabilities, email remains the primary communication tool for vendor management and payment authorization.

5. Public Information Availability: Organizational charts, staff directories, and budget documents are often publicly available, giving attackers detailed reconnaissance data.

6. Time Pressure During Budget Cycles: Attackers often strike during fiscal year-end, audit periods, or major project deadlines when finance staff are overwhelmed and more likely to expedite payments without full verification.

The Evolution of BEC: AI Makes Attacks Harder to Detect

The sophistication of BEC attacks has increased dramatically with the advent of AI-powered tools. In 2024, approximately 40% of BEC attacks now use AI-generated content, which makes fraudulent emails virtually indistinguishable from legitimate correspondence.

Early BEC attempts were often easy to identify due to poor grammar, obvious spoofing, and unsophisticated social engineering. Modern attacks demonstrate remarkable sophistication:

• Perfect grammar and natural language
• Accurate replication of communication styles and organizational tone
• Knowledge of internal projects, vendor relationships, and payment timing
• Subtle urgency without obvious red flags
• Clean formatting with no technical indicators like suspicious links or attachments

As one cybersecurity expert noted, many successful BEC attacks are "well written, cleanly formatted, and devoid of technical red flags—no links, no attachments, no misspellings."

Defense Strategies for Municipalities

Protecting against BEC attacks requires a multi-layered approach that emphasizes process over technology:

Essential BEC Defenses:

1. Multi-Factor Verification for Payment Changes: Require phone verification (using independently verified phone numbers, not those in emails) for any changes to vendor banking information.
2. Separation of Duties: No single employee should be able to both approve and execute wire transfers or ACH payments.
3. Out-of-Band Verification: Confirm all unusual payment requests through a separate communication channel (phone call to a known number, in-person verification, etc.).
4. Regular Security Awareness Training: Staff need training to recognize social engineering tactics, not just technical threats. This must be ongoing, not annual.
5. Email Authentication Protocols: Implement DMARC, SPF, and DKIM email authentication to make spoofing more difficult.
6. AI-Powered Anomaly Detection: Modern email security solutions use machine learning to detect unusual communication patterns that may indicate compromise.
7. Vendor Verification Procedures: Establish standardized protocols for onboarding new vendors and updating existing vendor information.
8. Financial Controls: Implement dollar thresholds requiring additional approval layers for large or unusual transactions.

The South Carolina Critical Infrastructure Cybersecurity Task Force, which includes SLED Computer Crimes, the FBI, and the South Carolina National Guard, provides resources to municipalities—though participation is voluntary, and many smaller cities remain unprotected.

The Recovery Challenge: Getting Funds Back

Once funds are transferred to attacker-controlled accounts, recovery becomes extremely difficult. BEC attackers typically move money quickly through multiple jurisdictions and convert funds to cryptocurrency or other hard-to-trace assets.

FBI IC3 data shows that international banks in the United Kingdom, Hong Kong, China, Mexico, and the UAE often act as intermediary stops for stolen funds. The speed of discovery and reporting is critical—victims who report incidents within 24-48 hours have a higher chance of recovery through bank intervention.

Westminster officials' statement that payments to contractors and staff will continue suggests either:

• The amount stolen was relatively small compared to overall city reserves
• The city has contingency funds or insurance to cover the loss
• The city is absorbing the loss without immediately impacting operations

Without disclosure of the amount, it's impossible to assess the true financial impact on Westminster's budget and taxpayers.

Policy Implications: The Need for Federal Support

The Westminster incident underscores the need for comprehensive federal support for municipal cybersecurity. Small cities face sophisticated, often international criminal organizations with resources that dwarf local IT budgets.

Current gaps include:

• Funding: Many municipalities cannot afford modern security infrastructure or dedicated security personnel
• Expertise: Cybersecurity expertise is scarce and expensive, pricing it out of reach for smaller cities
• Coordination: Lack of standardized incident reporting makes it difficult to track trends and develop defensive strategies
• Recovery Support: Limited resources exist to help municipalities recover stolen funds or rebuild after attacks

Some states have begun addressing these challenges. South Carolina's Critical Infrastructure Cybersecurity Task Force provides a model, though it requires broader participation and more resources to be truly effective.

Lessons for Other Municipalities

Westminster's experience offers several critical lessons for municipal leaders nationwide:

1. Assume You're a Target: Every municipality, regardless of size, is vulnerable. Attackers specifically target smaller organizations with limited defenses.

2. Human Element is Critical: Technical controls alone cannot prevent BEC. Staff training, verification procedures, and organizational culture are equally important.

3. Transparency Matters: While protecting investigation details is important, maintaining public trust through transparent communication about incidents and remediation is essential.

4. Insurance Isn't Enough: Cyber insurance is increasingly common, but it doesn't prevent attacks or address all losses. Prevention must be the priority.

5. Collaboration is Essential: Sharing threat intelligence and incident details with other municipalities (while protecting sensitive investigation data) helps everyone improve defenses.

Conclusion: A Wake-Up Call for Small City America

The Westminster cyber attack represents a microcosm of a national crisis: sophisticated cybercriminals systematically targeting under-resourced municipalities with devastating effectiveness. While Westminster officials work with state and federal investigators to determine the full scope of their losses, hundreds of other cities face similar threats every day.

The city's refusal to disclose the amount stolen, while potentially tactically sound from an investigation standpoint, highlights the tension between operational security and public accountability that defines municipal cybersecurity incidents.

As Business Email Compromise attacks continue to evolve—becoming more sophisticated, more targeted, and increasingly difficult to detect—small cities like Westminster must recognize that they are on the front lines of a cyber war they didn't ask to fight but cannot afford to lose.

The question is no longer whether small municipalities will be targeted, but whether they'll be prepared when the attack comes. For Westminster, that answer came too late. For hundreds of other cities, the clock is ticking.

Sources: FBI IC3 Reports, South Carolina Law Enforcement Division, FOX Carolina, State Scoop, Proofpoint, Palo Alto Networks, Arctic Wolf Threat Intelligence, Verizon Data Breach Investigation Report 2024, and various cybersecurity research organizations.

Note: This article is based on publicly available information. The exact amount stolen by attackers in the Westminster incident remains undisclosed by city officials as of December 23, 2025.