Construction companies should be on alert and educating leadership and employees on a targeted fraud scheme that cybercriminals are executing regularly.
Business Email Compromise (BEC) Fraud
Cybercriminals are accessing commercial databases to learn the details of construction projects across the U.S. The information they are gaining includes contact information, bidder lists, project costs and even specifications. Hackers are then taking advantage of these details to commit a cybercrime called Business Email Compromise (BEC) Fraud.
In the case of a Business Email Compromise attack, cybercriminals target a single employee within an AE&C company who has access to company funds, is able to make payments, and can access sensitive information.
The FBI has warned that cybercriminals are picking construction companies that have won a bid and then registering a similar domain to that company’s domain. They use the similar domain to send an email to the business that put out the bid with “new” ACH payment instructions.
If successful at this maneuver, cybercriminals receive payments meant for the real construction company. This type of fraud typically isn’t discovered until the real construction company begins a collections process on payments they never received.
Cybercriminals target firms through other types of fraud as well
Besides the vendor payment change fraud scheme, construction firms also face Wire Transfer Fraud. Wire Transfer fraud typically goes something like this: the CEO of a construction company travels out of town or is away from his office for an extended period and the cybercriminal sends the CFO an email that looks like it came from the CEO. The email usually requests that the CFO wires funds to a new vendor of the company and stresses the urgency of timing on the wiring.
The cybercriminal provides instructions supposedly sent by the vendor. The CFO likely won’t bother the CEO by phone call to verify the transaction due to the timing of his travel schedule and not wanting to disturb them. This type of fraud generally isn’t realized until the CEO reviews financials and notices the money was sent to the wrong people, and/or the vendor reaches out for missing payment.
Four things to protect yourself
In an effort to prevent BEC Fraud and Wire Transfer Fraud, construction companies can implement the following:
- A plan for security awareness training regularly participated in by ALL employees (see A Construction Company’s Best Defense Against a Cyberattack is Not What You Would Guess)
- Enforcing a cross-checking process for all payment requests that requires an employee to pick up the phone and verify the request with the employee requester live, and/or verifying in person if in an office
- Implement Multi-Factor Authentication on all accounts
- Send/Flag all questionable imposter emails and requests to your MSP / IT Department for review
Learn how to protect your company with 10 Steps AE&C Companies can take to Protect Against Ransomware Hackers.