Carteret County Cyberattack Roundup — What’s Hitting ENC Businesses in 2026

This is the first annual edition of what we’re seeing in the field — not a compilation of national cybersecurity reports or industry statistics, but a practitioner’s view of the threats that are actually reaching Eastern NC businesses through the calls, service requests, and incident responses we handle across Carteret, Craven, and Onslow counties.

The national cybersecurity conversation tends to focus on large enterprises, government agencies, and critical infrastructure. The conversation that matters to a five-person business in Morehead City is different. The attacks targeting small businesses in ENC are not sophisticated, zero-day exploits. They’re bulk campaigns using known techniques against targets that are less likely to have defenses in place. And they work, regularly, because the defenses don’t have to be sophisticated either — they just have to exist.

Here’s what’s active in 2026 and what we’re seeing locally.

Phishing — Still the Most Productive Attack Vector

Phishing is not new, and it’s not going away. It remains the single most successful method for compromising a small business, and the emails have gotten better. The obvious red flags — broken English, Nigerian prince narratives, generic greetings — have been replaced by messages that look like they came from a known vendor, a real colleague, or a legitimate service provider.

What the emails actually look like now:

The most common pattern we’re seeing targets ENC businesses with emails impersonating service providers the business actually uses. An email that appears to come from an accounting software provider asking the recipient to “verify their subscription” before it expires. The link goes to a credential-harvesting page that looks identical to the real login. The business owner enters their username and password. The attacker now has valid credentials to the accounting system.

Another active pattern: emails impersonating the business’s own bank, requesting “urgent verification” of a recent ACH transfer. The urgency language is calibrated — “respond within 24 hours to avoid account suspension.” The link leads to a fake banking portal. Credentials are captured.

The common thread: urgency, impersonation of a known entity, and a link to a convincing but fraudulent page. For a detailed breakdown of what these emails actually look like right now, see our guide to phishing emails targeting ENC businesses.

Business Email Compromise — The $10,000 Problem

Business email compromise (BEC) is the pattern we’re most concerned about for ENC small businesses because it’s the one that produces direct financial loss.

The setup: an attacker gains access to a business email account — usually through a phishing credential capture — and monitors the email traffic. They watch for invoices, payment instructions, and vendor relationships. Then they act.

In one version, they send an email from the compromised account to the business’s customers, informing them of “updated bank account information” for future payments. The email comes from a legitimate address, references real invoice numbers, and looks exactly like a normal business communication. Payments get directed to the attacker’s account.

In another version, they watch for an incoming invoice from a vendor and intercept it, modifying the payment details before forwarding it to the accounts payable person. The AP person processes the payment thinking they’re paying the vendor. They’re paying the attacker.

The losses from BEC are typically in the $5,000 to $50,000 range for small businesses. Recovery is difficult because the payments are usually wired to accounts that are emptied quickly. We’ve seen this pattern active in ENC this year, targeting businesses in New Bern and across the region that had email accounts compromised through the phishing patterns described above.

Ransomware Targeting Accessible Remote Desktop

Remote Desktop Protocol (RDP) is a Windows feature that allows remote access to a computer. When a computer has RDP enabled and the port is accessible from the public internet — which happens more often than most business owners realize — it becomes a target.

Attackers scan the internet for open RDP ports, attempt to log in using known default credentials or brute-force password attempts, and when they get in, deploy ransomware. The attack doesn’t require a phishing email, doesn’t require the user to click anything, and doesn’t require any action from the business owner. The computer was simply reachable and insufficiently secured.

We see this in ENC specifically because many small businesses have RDP enabled on at least one machine — either intentionally, for remote access during storms or after-hours emergencies, or unintentionally, because it was enabled during setup and never turned off. In most cases, the business owner doesn’t know the port is open.

Checking for open RDP ports is a five-minute diagnostic. Closing them or restricting access to authorized connections takes another ten minutes. This is one of the highest-impact, lowest-effort security improvements available. For a first-hand account of what ransomware recovery costs when no backup exists, see our Carteret County case study.

Social Engineering Targeting Businesses with High Turnover

The hospitality and seasonal retail sectors in ENC have inherently high staff turnover — as do contractor and service businesses in Havelock, Jacksonville, and Midway Park, where military and defense contractor rotations create frequent employee transitions. New employees, seasonal hires, temporary workers — people who are less familiar with the business’s communication patterns and more likely to follow instructions from someone they believe to be a manager or owner.

The attack pattern: a new employee receives a text or email that appears to come from the business owner, asking them to purchase gift cards and send the codes. Or they receive a call from someone claiming to be IT support, asking for their login credentials to “fix a problem” with their account. The new employee, eager to be responsive and not yet calibrated to the business’s normal communication patterns, complies.

We see this pattern spike during the summer hiring season and again during holiday retail hiring. The defense is awareness — a one-meeting orientation that covers: we will never ask you to buy gift cards, we will never ask for your password over the phone, and if something feels wrong, verify in person before acting.

Five Things Any ENC Business Can Do This Week

These are the most impactful defensive steps, ranked by the severity of the threat they address. Every one of them can be done today.

1. Enable two-factor authentication on email. This is the single highest-impact step. If your email is compromised and you have 2FA enabled, the attacker can’t log in even with your password. Enable it on every email account in the business — Microsoft 365, Google Workspace, whatever you use. It takes five minutes per account.

2. Check for open RDP ports. Ask your IT provider to scan for open RDP ports on your network. If any are found, close them or restrict access to VPN-only connections. If you don’t have an IT provider, search “is my RDP port open” — there are free online tools that check.

3. Change default passwords. POS admin passwords, router admin passwords, remote access tool credentials. If anything in your business is still using the password it was set up with, change it today.

4. Brief your staff — especially new hires. One meeting, ten minutes. Three rules: verify before acting on anything urgent involving money or credentials, never share passwords over phone or email, and report anything that feels wrong. This is the only defense against social engineering.

5. Verify your backup. Not “do I have a backup” — “is it running, when did it last complete, and have I ever tested a restore?” If you can’t answer those questions, find out today. The backup is what separates a ransomware event from being a bad week versus a business-ending one.

If you’d like us to look at your business’s exposure to the threats described here — RDP port check, email 2FA status, POS security posture — that’s part of what we do during an IT consultation. We can cover it in a single visit and come back with a prioritized list of what to address and what to leave alone. We’re at 252-777-2488. The cost of that conversation is a small fraction of what any one of the incidents above costs. More at /services/business-technology-consultation.