Cybercriminals are targeting construction companies to conduct business email compromise scams. All parties to construction projects should be vigilant when emailing about invoices and bank details.Alert status MEDIUM
The ACSC has observed a growing trend affecting construction companies and their customers. In the past six months there has been an increase in cybercriminals targeting builders and construction companies to conduct business email compromise (BEC) scams within Australia.
In a BEC scam, cybercriminals will send fraudulent emails posing as a legitimate business. These emails typically target the customers of the business and will ask them to change bank account details for future invoice payments. Victims assume this request is legitimate and will then send invoice payments to a bank account operated by the scammer.
These fraudulent emails may come from hacked email accounts, or cybercriminals might register domain names that are similar to legitimate companies (typically by swapping letters or adding additional characters). At a quick glance, an email address may look legitimate when it is actually being operated by a cybercriminal.
Successful BECs may go unnoticed for weeks or months until the construction company follows up on missing payments.
Mitigation
All parties to construction projects should be vigilant when communicating by email, particularly when discussing bank account details or invoicing.
Other mitigation strategies include:
- Verify payment-related requests: If you receive a request to make a large transfer or to change bank account details, you should verify that the request is legitimate before actioning it. Call the sender’s established phone number or visit them face-to-face before transferring any funds.
- Secure your email account: It is recommended that construction companies and related businesses use strong passphrases and enable multi-factor authentication on their email accounts.
- Training and awareness: Ensure that your staff are trained to recognise suspicious emails, including fraudulent bank account changes or requests to check or confirm login details. The latter may be a phishing attack which could compromise account security.
Further advice on mitigating business email compromise is available on cyber.gov.au: