Business Email Compromise in Construction: The Targeted Fraud That Costs Construction Companies Millions
Business Email Compromise (BEC) is among the costliest cyber fraud categories. FBI Internet Crime Report consistently ranks BEC as multi-billion dollar annual loss category. Construction companies face elevated targeting due to large payments, distributed teams, and vendor payment volume. Schemes include CEO impersonation requesting urgent wire transfers, vendor impersonation requesting bank account changes, and payroll department impersonation redirecting deposits.
BEC fraud succeeds through social engineering rather than technical hacking. Workers manipulated into authorizing fraudulent payments. Prevention requires controls and training. This post covers BEC patterns and prevention for construction companies.
Several common BEC patterns:
BEC schemes
- CEO/CFO impersonation — urgent wire request
- Vendor impersonation — banking change
- Subcontractor impersonation — payment redirect
- Lawyer impersonation — confidential transaction
- Payroll redirect — employee bank change
- Real estate transaction fraud
- Acquisition transaction fraud
- W-2 phishing — tax fraud preparation
Common patterns repeat. CEO impersonation requests urgent wire transfers exploiting authority. Vendor impersonation changes payment routing. Subcontractor schemes redirect payments to fraudster accounts. Real estate closing fraud has hit construction companies on M&A and property transactions. W-2 phishing harvests tax data for tax refund fraud.
Vendor redirect particularly common:
Vendor redirect schemes
- Email purportedly from vendor
- Banking change request
- Often follows compromised vendor email
- Real vendor information used
- Request looks legitimate
- Subsequent payments redirected to fraudster
- Vendor doesn't know until they don't get paid
Vendor email compromise gives fraudster access to real vendor email. Fraudster sends banking change to construction company AP. Real vendor doesn't know. Construction AP processes change. Subsequent payments go to fraudster. Discovered when real vendor calls about missing payments — typically multiple payments later.
CEO scheme exploits authority:
CEO impersonation
- Email from CEO email or look-alike
- Urgent confidential transaction
- Instructions to wire transfer
- Pressure to bypass normal procedures
- Often international destination
- CEO unavailable to verify
- Pressure tactics to act quickly
CEO scheme uses authority and urgency. Email purportedly from CEO requests urgent wire. Confidential transaction prevents discussion with others. Pressure to act quickly bypasses normal verification. CEO often "unavailable" — actually unavailable for verification calls. International destination for wire makes recovery difficult.
Suspicious email indicators:
Email red flags
- Slight email address differences (CEO@company.co vs .com)
- Display name spoofing
- Reply-to different from sender
- Foreign-looking grammar
- Urgency demands
- Confidentiality demands
- Unusual payment instructions
- After-hours timing
Look-alike domains (extra letter, different TLD) common. Display name spoofing makes "CEO" appear legitimate but actual address differs. Reply-to addresses to fraudster instead of real CEO. Foreign grammar in emails purportedly from native English speakers. Urgency and confidentiality demands push past verification.
Verification stops fraud:
Verification procedures
- Bank changes verified by phone to known number
- Wire transfer requests verified
- Don't use phone numbers in suspicious email
- Multiple-channel verification (call, text, in-person)
- Specific authorization for changes
- Documented verification
- Cooling-off periods for urgent requests
Verification by phone to known number stops most BEC. Don't trust phone numbers in suspicious emails — fraudster controls those. Multi-channel verification more secure. Documented verification creates audit trail. Cooling-off periods for urgent requests reveal urgency tactics.
The single most effective BEC prevention is mandatory phone verification (to a known phone number, not one in the email) for any banking change or unusual wire request. Workers trained to call before processing requests — even when 'CEO' will be 'angry' — prevent the majority of BEC losses. Building this culture matters more than any technical control.
Get AP insights in your inbox
A short monthly roundup of construction AP + accounting posts. No spam, ever.
No spam. Unsubscribe anytime.
Technical controls supplement procedures:
Technical controls
- Multi-factor authentication on email
- Anti-phishing email filters
- DMARC, SPF, DKIM email authentication
- External email warning banners
- Suspicious link blocking
- Email security training simulations
- Privileged access management
Technical controls reduce attack surface. MFA prevents email account takeover — majority of BEC begins with compromised email. Email authentication reduces spoofing. External email banners warn workers about external senders. Phishing simulations train workers to recognize attacks.
Worker training essential:
Worker training
- Awareness training for all employees
- Specific training for AP, payroll, executives
- Recognition of common schemes
- Verification procedures
- Reporting suspicious emails
- Phishing simulations
- Refresher training
- New employee onboarding
Training builds awareness. Specific training for high-target roles — AP, payroll, executives. Recognition of patterns. Verification procedures. Reporting mechanism for suspicious emails. Simulations test and reinforce. Regular refresher and onboarding for new hires. Training is most effective control.
Cyber insurance considerations:
Cyber insurance
- Coverage for BEC losses available
- Coverage limits often substantial
- Specific BEC sublimit common
- Deductibles substantial
- Required controls (MFA, training)
- Claims process
- Premiums increased recently
Cyber insurance covers BEC losses (with sublimits typically). Coverage requires specific controls — MFA, training, etc. Premiums have increased substantially due to claims experience. Claims process detailed. Sublimits often $250K-$1M. Construction companies should review coverage and required controls.
Response procedures:
Response to incidents
- Stop the fraud immediately
- Notify bank for fund recovery
- Time critical — hours matter
- FBI IC3 report
- Internal investigation
- Communication to affected parties
- Insurance notification
- Post-incident review
Discovered fraud requires immediate response. Bank notification can sometimes recall wire if caught quickly. Time matters — hours not days. FBI IC3 reports support recovery. Internal investigation determines breach point. Insurance notification per policy. Post-incident review identifies prevention improvements.
Business Email Compromise targets construction companies through impersonation of executives, vendors, subcontractors, and others. Common schemes include CEO impersonation, vendor banking change, subcontractor payment redirect, and payroll redirect. Email indicators include look-alike addresses, urgency, and unusual instructions. Verification by phone to known number stops most fraud. Technical controls (MFA, email authentication, anti-phishing) reduce attack surface. Worker training is most effective control. Cyber insurance covers some losses with required controls. Response procedures matter for fraud recovery. BEC affects construction companies routinely — prevention through controls, training, and culture protects business. For construction companies handling significant payments, BEC awareness and prevention are essential financial controls.
Written by
Sarah Blake
Head of Product
Former AP Manager at a $200M construction firm, now leads product at Covinly. Writes about what AP teams actually need from automation — beyond the marketing promises.
View all posts