Why Construction?
Business email compromise is not new. The FBI has tracked it for over a decade. What has changed is where attackers focus their energy. Construction has become the single most targeted sector for BEC fraud. The reason is structural. The way this industry moves money creates conditions that attackers can exploit without sophisticated technical skills.
Five characteristics make construction firms uniquely vulnerable:
- Large wire transfers are normal business
- A general contractor on a commercial project might wire $200,000 to a concrete subcontractor on a Tuesday and $350,000 to an electrical sub on a Thursday. Six- and seven-figure payments are not unusual. They do not trigger the internal alarm bells that the same amounts would at a software company or a law firm.
- Dozens of subcontractors per project
- A mid-size commercial build involves 20 to 40 subcontractors. A large project can involve 80 or more. Each one submits invoices. Each one has banking details on file. The accounting team cannot memorize every vendor relationship. They rely on email and documents to process payments.
- Low security maturity
- Most construction firms do not have a dedicated IT security person. The "IT department" is often one person who manages computers and the phone system. Email security training is rare. Multi-factor authentication adoption is below industry averages. The focus is on building projects, not building security programs.
- Deadline pressure overrides verification
- Construction runs on schedules. A delayed payment to a subcontractor can halt work on a job site. When accounting receives an urgent invoice with a note about updated banking details, the pressure to keep the project moving works against careful verification. The cost of a one-day delay on a commercial build can exceed $50,000 in penalties and lost productivity.
- Banking details change legitimately
- Subcontractors change banks. They open new accounts for tax purposes. They restructure their businesses. Legitimate banking change requests happen often enough that a fraudulent one does not stand out. In other industries a bank detail change is a red flag. In construction it is Tuesday.
The Attack Pattern
The mechanics of construction BEC are straightforward. Attackers do not need zero-day exploits or custom malware. They need patience and an email account.
The attack follows a consistent sequence:
- Reconnaissance. The attacker identifies a construction project. This is easy. Projects are public record. Permit filings list the general contractor. Subcontractor relationships appear in bid documents and sometimes on the project website itself. LinkedIn profiles confirm who handles accounting and project management.
- Email compromise or spoofing. The attacker either compromises a subcontractor's actual email account through phishing or creates a lookalike domain. If the real subcontractor uses
accounting@smithelectrical.comthe attacker registersaccounting@smith-electrical.comoraccounting@smithelectricai.com. The difference is a single character. - The banking change request. The attacker sends an email to the general contractor's accounts payable team. The message is professional and routine. It states that the subcontractor has changed banks and provides new wire instructions. The timing is deliberate. It arrives just before a scheduled draw payment or progress billing cycle.
- Payment redirection. The AP team updates the banking information in their system. The next scheduled payment goes to the attacker's account. The money is typically moved through multiple accounts and withdrawn within 48 hours.
- Discovery. The real subcontractor contacts the GC two to four weeks later asking why they have not been paid. By then the money is gone.
The entire attack requires no malware on the victim's systems. No files are encrypted. No servers are breached. The weapon is a convincing email and the victim's own payment process.
Real Numbers
The FBI's Internet Crime Complaint Center (IC3) has tracked BEC as the costliest form of cybercrime for several consecutive years. In its most recent reporting period BEC accounted for over $2.9 billion in reported losses in the United States alone. The actual number is higher because many incidents go unreported.
Construction and real estate consistently appear at the top of the industry breakdown. The average BEC loss across all sectors exceeds $120,000 per incident. In construction the average runs significantly higher because of the size of typical wire transfers. Losses of $500,000 to $1.2 million on a single fraudulent transaction are documented in IC3 reports.
| Metric | Value |
|---|---|
| Total US BEC losses reported to IC3 (annual) | $2.9 billion+ |
| Average loss per BEC incident (all industries) | $120,000+ |
| Typical construction BEC loss range | $150,000 to $1.2 million |
| Time from payment to discovery | 2 to 4 weeks |
| Recovery rate after 48 hours | Under 10% |
Those numbers represent reported incidents. Many construction firms absorb the loss quietly to avoid damaging client relationships or triggering bonding issues. The true cost to the industry is likely double or triple the reported figure.
The "New Banking Details" Email
If you manage payments for a construction firm you need to know what this email looks like. It does not arrive with red flags waving. It arrives looking exactly like every other vendor communication you receive.
Here is what to watch for:
- Urgency tied to a real payment cycle
- The email arrives one to three days before a scheduled draw. It asks you to update the banking details "before the next payment processes." The attacker knows your payment schedule because project timelines are often available in contract documents or through a compromised email thread.
- Slight email address differences
- Compare the sender address character by character against what you have on file. Attackers swap letters (
rnlooks likemin many fonts), add hyphens or change the domain extension. The display name will match perfectly. The actual address will not. - Professional tone with minimal detail
- The email is short and businesslike. It does not over-explain. A real banking change notice would be brief. The attacker mirrors that brevity. The message typically includes a new routing number and account number and asks you to confirm receipt.
- No attached invoice for a current amount
- The banking change email usually does not include a specific invoice. It asks you to update your records for "future payments." This avoids creating a paper trail tied to a specific dollar amount that could be more easily flagged.
- Reply-to address mismatch
- Check the reply-to field in the email headers. Even when the "From" address looks right the reply-to may point to a completely different domain controlled by the attacker. Most email clients hide this field by default.
What Your IR Plan Should Include
If you do not have an incident response plan that specifically addresses BEC you are planning to fail. Generic cybersecurity policies do not cover payment fraud. You need procedures written for the way your firm actually moves money.
Verification procedures for banking changes
Every banking detail change request must go through a defined verification process regardless of who sends it and regardless of how urgent the project timeline is. This means a written policy that states: no banking information is changed based on email alone. Period.
The policy should require the AP team to flag any banking change request and route it through a verification workflow before any system updates occur.
Out-of-band confirmation
When a subcontractor requests a banking change someone on your team must call them to confirm. Not at the phone number in the email. At the phone number already on file in your vendor database or the number on the original signed contract. This single step defeats the majority of BEC attempts.
The call should be documented. Who called. What number. Who answered. What they confirmed. This documentation becomes critical if a fraud does occur and you need to demonstrate that your team followed procedure.
Dual authorization for payment changes
No single person should have the authority to change vendor banking details and approve the next payment to that vendor. Separate these functions. The person who updates the banking record should not be the same person who releases the wire. This creates a second set of eyes on every banking change.
For payments above a defined threshold (many firms use $25,000 or $50,000) require sign-off from a project manager or company officer in addition to the accounting team. The minor delay is worth the protection.
72-hour hold on new banking details
Implement a mandatory waiting period after any banking detail change before payments can be sent to the new account. A 72-hour hold gives your team time to verify and gives the real subcontractor time to notice if someone has impersonated them. Most BEC attacks depend on speed. Slowing down the process is a defensive advantage.
How Tabletop Exercises Help Construction Firms
A tabletop exercise is a structured walkthrough of a specific attack scenario with the people who would actually respond to it. No servers go down. No money moves. You sit your accounting team and project managers in a room and run the scenario on paper.
For a construction firm the BEC tabletop should go like this:
- Present the scenario: your largest subcontractor on an active project sends an email requesting updated banking details. The next draw payment of $340,000 is due in two days.
- Ask your AP team: what do you do? Walk through each step they would take. Document their responses.
- Introduce complications. The subcontractor's phone number goes to voicemail. The project manager says the sub mentioned something about changing banks last month. The payment deadline has a late penalty clause.
- Identify the gaps. Where did the team hesitate? Where did someone suggest skipping verification because of the deadline? Where was the policy unclear?
The value is not in getting the right answers. The value is in finding where your process breaks down before real money is at risk. Every construction firm that has run this exercise with us has found at least one critical gap in their payment verification process.
Common findings include: no documented procedure for banking changes. A single person who can both change banking details and approve payments. No out-of-band verification requirement. Phone numbers stored only in email signatures rather than a verified vendor database.
These are fixable problems. But you will not find them until you test.
FAQ
Why are construction companies targeted more than other industries for BEC?
Construction firms combine large routine wire transfers with dozens of vendor relationships and low cybersecurity maturity. Attackers know that six-figure payments are normal business. They know that banking detail changes happen legitimately. They know that deadline pressure pushes accounting teams to process payments quickly. No other industry presents this combination of high-value targets and low verification barriers.
What is the average loss per BEC incident in construction?
The FBI IC3 reports the average BEC loss across all industries exceeds $120,000 per incident. Construction losses tend to run higher because draw payments and subcontractor invoices frequently reach six and seven figures. Single-incident losses of $500,000 to $1.2 million are documented. Recovery rates after 48 hours drop below 10 percent.
How do I verify a subcontractor's banking change request?
Call the subcontractor at a phone number you already have on file. Do not use the phone number provided in the email requesting the change. Require written confirmation on company letterhead. Mandate that one person updates the banking record and a different person authorizes the next payment. Implement a 72-hour hold before sending funds to any newly updated account. Document every step of the verification.