Two-thirds of South Carolina’s largest business enterprises leave their computer systems vulnerable to common email scams — a hole that’s helping to enable a cybercrime spree that the FBI says cost state residents $264 million last year, according to a new report.
Released June 8 by the Colorado-based cybersecurity firm Red Sift, the report found that only 35% of the 100 large S.C. ventures that it examined have fully implemented a security measure known as DMARC — an internet safeguard that prevents fraudulent emails bearing their company’s address from being delivered.
Put simply, DMARC helps ensure that any email you receive from, say, charlestoncitypaper.com, actually came from charlestoncitypaper.com — and not from a cybercriminal who faked the address.
In Red Sift’s data, Georgia and Tennessee were tied for first place in the Southeast for DMARC compliance at 45%, with Mississippi and S.C. bringing up the rear.
A Red Sift spokesperson declined to share the names of S.C. entities that haven’t fully adopted the DMARC standard, but offered a partial list including Boeing South Carolina, the S.C. Ports Authority and several major banks and universities.
“These days, most of the ways we work, bank and shop rely on trustworthy email,” Red Sift Vice President Brian Westnedge told the Charleston City Paper. “And when those trustworthy email communications break down, there are real consequences in terms of email phishing, fraud, ransomware and wire transfer attacks.”
What’s worse, Westnedge noted, those types of scams have only grown more sophisticated in the age of artificial intelligence.
“These aren’t the obvious Nigerian scams of yesteryear,” he said. “And because they’re now often crafted with AI, even a non-native speaker can make something that looks very convincing.”
‘A constant threat’
The “real consequences” Westnedge alluded to were quantified in an April 2026 report from the FBI’s Internet Crime Complaint Center, which found that S.C. ranked 21st in the country for cybercrimes in 2025, with annual losses rising from $146 million to $264 million over the past year.
While the vast majority of those crimes receive little public notice, several high-profile cases have made headlines across the Palmetto State in recent months.
In March of this year, the town of Surfside Beach sent $545,000 to a cyberscammer posing as a contractor in an email scam. The S.C. Law Enforcement Division (SLED) is investigating.
In January 2026, Laurens County paid $1.6 million to cybercriminals in an email-based fake invoice scam. The county has filed a lawsuit in an attempt to gather information to identify the fraudsters.
In separate October 2025 incidents, Jasper County and York County officials warned residents of email phishing scams involving fake county bills and fees.
And in January 2025, a federal grand jury in Columbia indicted 12 people in a $25 million business email compromise scheme that authorities said targeted both companies and individuals.
“Cybercrime isn’t just a growing threat — it’s a constant one,” said Kevin Moore, special agent in charge of the FBI’s Columbia Field Office, in a release. “As the FBI works tirelessly to dismantle these criminal networks, we call on the public to do their part by adopting strenuous cyber hygiene practices and remaining vigilant in every online transaction.”
While law enforcement officials haven’t publicly connected those incidents to any one company’s email security settings, experts say they show how quickly email scams can turn into major public losses — and why basic security protections matter.
What businesses and individuals can do
For businesses and other enterprises, fully implementing DMARC is a three-step process that moves from gathering data on fraudulent emails, to quarantining suspicious messages, and finally, to telling recipients to automatically reject emails that can’t be authenticated as coming from their systems.
According to Red Sift, the good news for S.C. is that most of its largest organizations have at least started the process, with only 11% having not at least taken the first step.
Lou Vega, a Charleston-based senior security engineer with VDA Labs, explained why companies are often cautious about taking the final step.
“Protection is obviously critically important, but blindly implementing the DMARC standard could lead to legitimate email being rejected,” Vega said. “That’s the concern.”
As for the rest of us, Vega’s advice boils down to two simple security habits anyone can practice: patience and common sense.
In short, don’t rush to click the link in an urgent-sounding email from what appears to be a company with which you do business. Instead, go to the official company website or call a verified phone number to check if the message is real. And never forget that if it sounds too good, or too complicated, to be true, it almost certainly is.
“Just slow down, take a moment, and think about the email that’s demanding your attention,” Vega said. “And when you see them trying to explain all sorts of complicated steps involving money orders and things, just run away.”
Related
Click Here For The Original Source.
