Scammers are always seeking new ways to target victims for Business Email Compromise (BEC) scams, where they leverage email to try to convince you to give them credentials, send them confidential information like W2s, send them money by changing things like direct deposit instructions, or give any other data that can help them profit from committing fraud.  They are getting more and more sophisticated in their deceptions, and targeting those areas they see as ‘weak links.’

Construction companies however face a particular threat, as there are a number of services and private and government web sites to which companies can subscribe to learn about construction projects that are open to bid. Often, the winning bidder ends up becoming public knowledge – either because that information is posted publicly, or because the contract company advertises they were awarded the project. And of course, these contracts always carry a price tag that is attractive to scammers.

Fraudsters can use information from these same web sites along with other research to learn which construction companies have applied for and ultimately won bids. The higher the price tag, the bigger the target. Once the scammers get their fake web site set up (they can use tools to copy the real contractor’s web site almost exactly), they’ll then send an email to the victim posing as the contractor, including a direct deposit form (likely doctored with the contractor’s logo) and instructions to change payment information to a new account controlled by the scammers.  They might even try to play this trick on the construction company and pose as a vendor the construction company regularly pays. Once the money is transferred, it can be difficult – and often impossible – to recover.  Even if the victim has cyber insurance, whether or not any losses are covered depends on the policy.  Any access and information they obtain can also compromise the construction company’s information security, potentially increasing the likelihood of privacy breaches, ransomware attacks, or other serious security risks.

Awareness and good financial and technical controls are key to protecting against this threat.  Here are some steps your organization should consider including in your cyber security plan:

  • Establish direct deposit instructions at the start of the contract, and ensure your customers know exactly how you would change them.  For example, let them know any instructions would come only from your organization via a specific email address or phone number.
  • Also ensure your customers know how they can verify those instructions, as email addresses and phone numbers can be faked.  Have your customers confirm any changes by using the alternate communication method.  For example, if they ever get an email with new instructions, they are to call the phone number sent in the original instructions (not reply to the email, or call any phone number in the email) to confirm, and vice-versa. Scammers will do everything they can to get you to contact them for ‘verification’, so clear direction at the start of the process is important.
  • Carefully scrutinize all requests for transfer of funds. Expect secure processes and procedures from your vendors or anyone you have to transfer money to. If they don’t have a good process in place, at least have them follow yours.
  • Always ensure two people have to sign off on any changes.  At least one of them should be in management.
  • Train your company on how to spot fakes.  Consider phish-testing your own company regularly (there are subscription solutions out there that can help you manage this.)
  • If you have trouble detecting external emails, consider setting up an ‘external’ tag so your own staff can more easily catch if a scammer is trying to impersonate someone in your organization.
  • Consider subscribing to a secure email gateway to help protect your organization from phishing and scams.

Ultimately, the adage ‘an ounce of prevention is worth a pound of cure’ is borne out in cyber and financial security breaches. Take proactive steps to protect your organization, your trades and vendors, and your own clients and customers.

The privacy team and construction lawyers at Stoel Rives are prepared to help you minimize risks and mitigate losses posed by internal and external threats. Give us a call to learn more about how we can help you protect your business.