Scammers are always seeking new ways to target victims for Business Email Compromise (BEC) scams, where they leverage email to try to convince you to give them credentials, send them confidential information like W2s, send them money by changing things like direct deposit instructions, or give any other data that can help them profit from committing fraud. They are getting more and more sophisticated in their deceptions, and targeting those areas they see as ‘weak links.’
Construction companies however face a particular threat, as there are a number of services and private and government web sites to which companies can subscribe to learn about construction projects that are open to bid. Often, the winning bidder ends up becoming public knowledge – either because that information is posted publicly, or because the contract company advertises they were awarded the project. And of course, these contracts always carry a price tag that is attractive to scammers.
Fraudsters can use information from these same web sites along with other research to learn which construction companies have applied for and ultimately won bids. The higher the price tag, the bigger the target. Once the scammers get their fake web site set up (they can use tools to copy the real contractor’s web site almost exactly), they’ll then send an email to the victim posing as the contractor, including a direct deposit form (likely doctored with the contractor’s logo) and instructions to change payment information to a new account controlled by the scammers. They might even try to play this trick on the construction company and pose as a vendor the construction company regularly pays. Once the money is transferred, it can be difficult – and often impossible – to recover. Even if the victim has cyber insurance, whether or not any losses are covered depends on the policy. Any access and information they obtain can also compromise the construction company’s information security, potentially increasing the likelihood of privacy breaches, ransomware attacks, or other serious security risks.