Cybercriminals are targeting construction companies to conduct business email compromise scams. All parties to construction projects should be vigilant when emailing about invoices and bank details.
The ACSC has observed a growing trend affecting construction companies and their customers. In the past six months there has been an increase in cybercriminals targeting builders and construction companies to conduct business email compromise (BEC) scams within Australia.
In a BEC scam, cybercriminals will send fraudulent emails posing as a legitimate business. These emails typically target the customers of the business and will ask them to change bank account details for future invoice payments. Victims assume this request is legitimate and will then send invoice payments to a bank account operated by the scammer.
These fraudulent emails may come from hacked email accounts, or cybercriminals might register domain names that are similar to legitimate companies (typically by swapping letters or adding additional characters). At a quick glance, an email address may look legitimate when it is actually being operated by a cybercriminal.
Successful BECs may go unnoticed for weeks or months until the construction company follows up on missing payments.
All parties to construction projects should be vigilant when communicating by email, particularly when discussing bank account details or invoicing.
Other mitigation strategies include:
Further advice on mitigating business email compromise is available on cyber.gov.au: