Phishing and business email compromise scams in construction

Phishing attacks and business email compromise (BEC) scams rank among the most prevalent and financially devastating cyber incidents affecting UK construction businesses. A single email can wreak financial and operational havoc in construction firms. 

Both phishing and BEC rely on social engineering and weak security controls, and their impact can be substantial, affecting not just the company’s bottom line but also project delivery, staff morale and client relationships. Here, we explore the reasons behind their severe impact and outline proactive measures you can implement to guard against them. 

Phishing attacks: leading to bigger breaches 

In a sector where site workers and office teams operate multiple systems and devices, the phishing risk is amplified. Phishing is often the first step in a broader attack. Criminals send emails purporting to be from colleagues, clients or suppliers to get recipients to unwittingly click on malicious links or enter login credentials 

A mid-sized civil engineering firm based in the West Midlands fell victim to a phishing attack when a criminal impersonating a site manager requested urgent access to drainage layout plans. The email contained a link to a fake Microsoft 365 login page. A junior project administrator, working remotely, entered their credentials. 

The attacker accessed the company’s shared project drive. Sensitive documents including project bids, environmental reports and subcontractor details were downloaded and appeared for sale on a dark web forum. Beyond the immediate costs of incident response, legal advice and temporary IT security upgrades, the firm suffered severe delays in planning meetings and project timelines.  

Construction firms should focus on a combination of user awareness, system hardening and preventative technology, including: 

• multi-factor authentication;  
• AI-powered email filtering; 
• role-specific training;
• phishing email simulations sent internally to train staff to spot a scam; 
• suspicious email response protocols;
• access review of shared drives. 

Business email compromise (BEC): high-value deception 

BEC attacks involve criminals either spoofing or compromising legitimate business email accounts to manipulate financial transactions. These scams are highly targeted and often occur just before payment deadlines. 

A London-based commercial contractor with over £100 million annual turnover fell suffered a BEC attack after a senior quantity surveyor’s email was compromised. The attacker monitored emails for three weeks before sending an urgent request to the finance team to update a supplier’s payment details – timed just before a £2.6 million monthly disbursement. The fraudulent payment was processed and only discovered when the genuine supplier followed up a week later. 

The financial loss was compounded by severe operational delays, frozen procurements, stalled developments and subcontractors demanding additional guarantees of payment security. 

BEC scams can be prevented by strengthening both process integrity and digital controls, such as: 

• segregation of duties;  
• verification of payment requests; 
• secure executive accounts;
• finance control policy;
• executive security workshops;  
• fraud response plan.

In addition to process-based control, construction firms should consider cyber security-specific technical mitigating actions to strengthen their defences, including: 

• secure email infrastructure;
• advanced access control;
• continuous monitoring & training. 

Help from the experts 

The construction sector’s complex supply chains, urgent payment cycles and hybrid working environments make it a prime target. If you would like a thorough review of your construction company’s cyber security practices or support in building a resilient defence against phishing and BEC, get in touch with our cyber security experts.