Trendz³ Newsletter: Pine Bluff's $3.2 Million Cybersecurity Lessons

Trendz³: The Free IT & Tech Newsletter Designed Just for Small Businesses of Northwest Arkansas

Note: This is a web version of our newsletter. You can subscribe here for free.

May 2026

Hi Friend,

Maybe you heard? News broke just last week that hackers scammed the Pine Bluff School District in southeastern Arkansas out of a gut-wrenching $3.2 million. When a cyberattack of this magnitude occurs so close to home (as it does more frequently than we realize), it behooves us to take stock and learn lessons.

So, let's do something a little different in this edition of the newsletter: two of the three trends shared below were directly inspired by the Pine Bluff cyber incident — with sobering ramifications for every Natural State organization of every size.

Stay vigilant. Million-dollar cyberattacks are happening right next door.

Sincerely,

Rob Brothers
Founding Partner
TekTrendz

Trend¹ — Construction is a frequent target of cyberattacks — and it matters to your organization

As this TekTrendz article explains, the devastating $3.2 million cyberattack on Pine Bluff Schools worked by manipulating the district's dealings with a construction firm. And this is not uncommon; construction firms and their clients have become preferred targets of cybercriminals. Read why here.

Just look at the PBSD. The district is currently in the process of constructing a new $74 million high school. Consequently, when office staff received an invoice from one of their construction partners for $3.2 million, they...simply...paid it.

Only, the money didn't go to the construction firm. It went to hackers (see below).

Most organizations, at one time or another, work with construction firms or other companies in — let's call them — high-value, large-invoice industries. And so it's crucial for every organization, regardless of industry or size, to understand this:

Where there are big-money invoices, there are opportunistic cybercriminals.

What happened in Pine Bluff tragically underscores this. Some recommendations...

• Put strict protocols in place when dealing with construction partners or companies in other high-value industries. For example, require verbal confirmation of any payment instructions sent by email/message.
• Train staff to be skeptical and vigilant when paying any invoice. No matter how authentic the invoice looks, no matter what company's name or logo is on the invoice, start by assuming the invoice is a scam.

This second recommendation leads to another lesson from Pine Bluff...

Trend² — Legit emails and invoices sent by legit companies can still contain scams...

There's a dangerous misconception that email fraud requires a hacker to send you an email — an email of their own marking. In reality, however, the most sophisticated attacks don't involve an email sent by a stranger. Instead, they piggy-back on emails or other messages sent by employees, suppliers, and the like.

Get this: The Pine Bluff School District (see above) received a real email/invoice from a real construction firm doing real work for them. It was all very real. Only, the hackers — who infiltrated the PBSD via an employee's compromised email account — added fraudulent wire transfer instructions to an otherwise real invoice.

It's called a Business Email Compromise or Vendor Email Compromise — and it has become a real racket. According to the FBI, there were 24,768 BEC complaints filed in 2025 resulting in losses of over $3 billion. A BEC might work like this: 

• Hackers gain system access through a compromised email account

• Once in the system, bad actors often just... wait. They watch and observe billing cycles and email conversations — ready to pounce

• When an otherwise authentic invoice hits the inbox, hackers use mailbox-forwarding rules to hide the real message and finally...

• Alter and "re-send" the invoice with fraudulent wire transfer instructions

It's all terribly sophisticated. So, here are some tips for protecting your business:

• Go ahead and assume from the start that even legitimate emails and invoices from actual employees/partners can contain fraudulent details

• Recommit to basic cybersecurity safeguards like these — because everything that transpired for the PBSD likely started with a simple and preventable phishing scheme through a single employee's email account

• Establish careful procedures for handling invoices: never change payment processes based on an email; don't use contact info in an email (hackers may have changed it); require dual approval for invoice payments; etc.

Most importantly, question everything in your inbox — even if it looks real. Looks have never been more deceiving than they are in the AI age.

Trend³ — This has quickly become a necessity for every organization in the AI Age...

As soon as someone says the word "policy," we tune out. Yeah, I know, yawn.

But organizations of every size, whether for-profit or non-profit, can no longer afford to ignore an increasingly crucial asset and ally in the age of AI assistants: the AI usage policy. As powerful as it is, AI isn't without risks to your business and customers. And, we need a policy to mitigate those risks.

TekTrendz has an AI policy — and every employee has read and signed it. It's just one way we protect you. For instance, our policy states that we will never upload client information — your information — to an AI assistant.

Think of an AI policy as a plan used by organizations to set clear boundaries on how employees select and interact with AI tools. It protects customers, employees, partners, and — of course — the business itself by answering questions like:

• Which AI tools and tasks are approved?

• What data can be shared with AI assistants?

• What role does human oversight play?

• What do we do when violations occur?

• When must we disclose AI usage?

Read, signed, and observed by all employees — from top to bottom.

No need to complicate it; perfection is the enemy of progress.

As always, we're standing by if TekTrendz can help. 

Google Interactive Quiz: Can You (and Your Team) Spot When You're Being Phished?

Well, this is timely. Considering the $3.2 scam on the PBSD probably started with a simple phishing scheme, now's the time to hone our phish-spotting skills.

Let Google walk you and your team through several email scenarios. Is it phishing? Or is it real?

It may feel like a game, but — I assure you — the stakes couldn't be higher.

Take Google's Interactive Phishing Quiz

Google Donates $1 Million to UALR to Create Statewide Cybersecurity Center

Mo' money; mo' cybersecurity resources.

Last month, Google donated $1 million to the University of Arkansas at Little Rock to develop a statewide cybersecurity center to train students and, ultimately, connect the state's businesses and organizations with more cybersecurity resources.

The center is expected to train more than 500 students over the next six years.

Read More From the NWA Democrat Gazette

Articles We're Reading...

Here's four articles we've read recently with important implications for small business — and their technology, productivity, and/or cybersecurity.

• Pine Bluff School District scammed out of more than $3.2 million after cybersecurity hack

• Claude-powered AI coding agent deletes entire company database in 9 seconds, backups zapped

• Fox Business: Officials warn of banking spoof callers draining customers' accounts

• Some Arkansas schools affected by cyberattack on 'Canvas' platform; down for hours during exam week

Whatcha' Waitin' For? Subscribe to Trendz³ Today 

Trendz³ is a free, monthly email newsletter from TekTrendz, created exclusively for small businesses of Northwest Arkansas. Once a month, the Trendz³ newsletter will provide you with a quick rundown of the three most pressing trends in technology, cybersecurity, and IT — that you really need to know. We'll also share helpful resources and news along the way.

It's the IT newsletter designed for you. Click below to sign up today. It's free.