Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


How cybercriminals are targeting construction companies — and how to prevent it

Dec 11, 2019

The FBI recently issued a notice to construction companies warning them about a rising fraud scheme. 

Cybercriminals are using commercial databases to learn details on thousands of construction projects across the U.S., from contact information to bidder lists to project costs and specifications. They are using these details to commit business email compromise (BEC) fraud. 

BEC differs from standard phishing attacks in that the cybercriminal targets one person (who has the ability to access company funds, make payments or access sensitive information) rather than an entire organization.

How does the business email compromise actually happen? 

Typically, BEC involves a cybercriminal taking over an email account via social engineering or guessing weak passwords, or impersonating an email account by using a lookalike account.

In this case, the FBI specifically is warning that cybercriminals are picking a construction company that has won a bid and then registering a domain similar to that construction company’s domain (e.g., acmeinc.com versus the real company’s acme.com). They then send an email to the business that put out the bid with “new” ACH payment instructions. 

Not surprisingly, this new banking information is the cybercriminal’s, and they receive payments meant for the real construction company. The fraud typically isn’t discovered until the real construction company starts a collections process on the payment(s) they never received. 

Other BEC fraud types

The vendor payment change scheme isn’t the only type of BEC fraud. Two other common BEC attacks include:

  • The wire transfer: When the CEO goes out of town, the cybercriminal sends the CFO an email that appears to be from the CEO, requesting the CFO send a wire transfer to a new vendor. The email provides payment instructions and emphasizes that the payment must be made immediately. Because the CEO is “unreachable” due to being out of town, the fraud isn’t discovered until the real CEO reviews the banking statement and discovers the large transfer.
  • The W-2 data request: The payroll department receives an email from a top executive (aka the cybercriminal) asking for the W-2 report on all the company’s employees. The fraud isn’t discovered until tax time, when employees begin to discover the fraudulent tax returns have been filed on their behalf. 

Top 4 ways to prevent BEC fraud

Construction companies are vulnerable to all three of those BEC fraud schemes. But the good news is, there are ways to prevent BEC fraud. Here are our top four tips:

1. Provide security awareness training to all your employees

The weakest link in your security will always be your employees. Security awareness training is essential; it educates employees on what cybercriminals try to steal, how they try to steal it and what employees can do to protect themselves and your company’s data. 

This means everything from being able to spot a phishing email to what to do when they believe an error may have been made. Speed of response is critical to limiting the damage of a cyberattack or data breach, so employees should not be afraid to disclose a mistake.

2. Verify requests using an out-of-band method

Part of this security education training should be to verify any request for a payment change, wire transfer or sensitive data. But employees should not verify requests simply by responding to what could be a fictitious email.

If the email is supposedly coming from an internal person, the employee should walk over to that person’s desk, or call or text the phone number listed in the internal directory for that person. Then they can verify that person truly did make the request.

If the email is coming from a vendor, the employee should call the vendor using a phone number they know goes to the real vendor, not any phone numbers that may be listed in the potentially fraudulent email. 

Another good idea is to dictate as a company rule that any changes in vendor payment must be approved with two different employee sign-offs. This further increases the likelihood of any fraud being detected.

3. Flag external emails

To combat those CEO-impersonating emails, one effective tactic is to configure your email system to automatically flag external emails with a large, conspicuous banner at the top that labels the email as coming from an external sender. That way, if the email is supposedly coming from the CEO or another company employee but bears the external banner sender, the recipient knows right away it’s a potentially fraudulent email. 

We also recommend creating an email rule that flags all emails where the “reply” email address is different from the “from” email address shown.

Furthermore, your IT department can implement anti-spoofing rules that flag email domains that are similar to companies you work with. This would catch @acmeinc.com, @acme_company.com, or any other variations on the legitimate @acme.com email domain. 

4. Use multifactor authentication

Multifactor authentication (MFA) is a strong way to help prevent cybercriminals from taking over employee email accounts. MFA is a security setting you can turn on in your email provider. It requires a second method of authentication in order for an employee to log in, typically by sending a code to the employee’s phone that they then type into the field on their computer. 

MFA helps make sure that the employee is really is that employee and not a fraudster who is attempting to gain access to the employee’s email account.

What does your cybersecurity look like?

Cyber fraud schemes are only continuing to evolve, so make sure your construction company is prepared. Training, procedure and policy creation, and having an incident response team are three ways to both help prevent and respond to an incident. 

But you don’t have to go it alone. An experienced cybersecurity firm can help you close vulnerabilities and help prevent BEC attacks in the first place.

To learn about managed detection and response services, click here. To learn about Wipfli’s other cybersecurity services — from vulnerability assessments to phishing simulations — click here.

Or keep reading on about cybersecurity:

5 questions executives should ask to assess cybersecurity readiness

How to prevent and detect Office 365 account takeovers

10 essential ways to protect your business against cyber crime


Tom Wojcinski
View Profile