BY MICHAEL WAYNE, FULTON MAY SOLUTIONS
In my role focusing on risk mitigation and continuity, I often tell construction leaders: “Your biggest vulnerability isn’t the fence around the site; it’s the inbox in the trailer.”
The construction industry has become a high-value target for cybercriminals, not by random chance, but through strategic analysis. We operate in an industry defined by massive payments, frequent invoicing, and a complex web of subcontractors. Attackers know that a single project involves millions of dollars flowing between clients, general contractors, and trades.
This environment makes construction the perfect target for Business Email Compromise (BEC).
The “Silent” Attack on Your Bottom Line
BEC is dangerously effective because it isn’t a technical “smash-and-grab”; it is a confidence game. Criminals impersonate trusted figures—such as a CEO, a project manager, or a known vendor—to trick your staff into redirecting a legitimate payment to a fraudulent account.
The scale of this threat is massive. The FBI has labeled BEC a multi-billion dollar global scam, and the numbers are climbing. In Australia alone, scammers stolen over $152.6 million via BEC attacks in 2024, a staggering 66% increase from the previous year.
How the Scam Unfolds: Anatomy of a Hijack
What makes these attacks so hard to spot is the level of preparation involved. Attackers don’t just guess; they research.
- Surveillance: They study your company hierarchy and business relationships to mimic your internal tone and formatting.
- The Spoof: They use sophisticated malware to access legitimate accounts or create “spoofed” addresses that look nearly identical (e.g., J.Smith@constroction.com) to deceive recipients.
- The Interception: Once inside, they monitor email threads for keywords like “invoice” or “payment.” At the perfect moment, they intercept a legitimate payment discussion and inject a fraudulent invoice with their bank details.
Real-World Impact
The report highlights a devastating example: a Tasmanian woman lost $120,000 after scammers intercepted email correspondence with the construction company she hired for a renovation. By the time the fraud was discovered, the money was gone.
In our industry, where margins are tight and cash flow is king, a loss like that isn’t just a line item; it’s a threat to project continuity.
The Fix: “Stop and Verify”
You don’t need expensive software to stop this; you need a culture change. Here is the protocol I recommend implementing immediately:
1. The “Stop and Verify” Rule
Establish a mandatory policy: any email request to change banking details or make an urgent, out-of-cycle payment must be verified through a secondary channel.
- Do not reply to the email.
- Do pick up the phone and call the vendor on a known, trusted number (from your internal system, not the email signature).
2. Implement Dual Controls
Require that any change to vendor payment information be reviewed and approved by two separate individuals. This creates a vital “human checkpoint” to catch fraud before funds leave the building.
Takeaway
We need to treat a change in bank details with the same scrutiny as a change order on a blueprint. In 2026, a healthy skepticism is your best financial defense.
Download the Construction State of Cybersecurity report and request a short cybersecurity health check from Fulton May Solutions.
