Between 2023 and 2024, cyberattacks on construction companies have surged, now accounting for 6% of all incidents Kroll responds to, according to their latest Cyber Threat Landscape report. The rise in attacks may be linked to the way the industry operates: teams juggle multiple vendors, often work remotely via mobile devices, and are under pressure to meet tight deadlines—sometimes at the expense of security. This combination creates a perfect storm for cybercriminals.
Why Construction Companies Are a Target
Business Email Compromise (BEC) is the leading method hackers use to infiltrate these companies. BEC attacks—where fake emails trick employees into revealing sensitive information or making unauthorized payments—account for 76% of cyber incidents in the construction industry, according to Kroll. These emails often mimic document-signing requests or invoices, making them appear legitimate.
Here’s why smaller construction companies are particularly vulnerable:
- Numerous Vendors: Construction companies typically collaborate with a wide range of suppliers, each a potential weak link. If a hacker gains access to a vendor’s email, they can send convincing fake invoices, duping companies into transferring money to the hacker’s account. With multiple vendors, the risk multiplies.
- Mobile Accessibility: Construction workers are always on the move, relying on mobile devices to sign into accounts and stay in touch. This convenience comes with a downside—mobile devices are often less secure than traditional desktops or laptops, making them easier targets for attackers.
- High-Pressure Environment: In construction, delays can be costly. This urgency means employees might rush through invoice approvals or transactions without thoroughly checking their legitimacy—a vulnerability that hackers are all too eager to exploit.
Your Industry Could Be Next
It’s not just construction companies that are facing increased threats. Small manufacturing firms, higher education institutions, and healthcare providers—businesses that often lack the comprehensive security defenses of larger organizations—are also seeing a spike in cyberattacks.
These industries, much like construction, handle numerous vendors and face tight deadlines, making them attractive targets for BEC and invoice fraud.
How to Defend Against BEC and Invoice Fraud
- Implement Multifactor Authentication (MFA) MFA adds an extra layer of security, making your accounts 99% less likely to be compromised, according to the Cybersecurity and Infrastructure Security Agency. Even if attackers get hold of your login credentials, they can’t access your accounts without a second form of verification, like a mobile device or biometric scan.
- Always Verify Supplier Information A simple but effective defense is to verify the authenticity of invoices and supplier details. Set up a process where employees must double-check any financial transactions directly with the supplier, using a known and trusted communication method—like a phone call.
- Keep Employees Trained on Common Attacks Regular training is a cornerstone of strong cybersecurity. Equip your team with the know-how to recognize social engineering and phishing attempts, and stress the importance of following verification protocols. The Information Systems Audit and Control Association recommends cybersecurity training every four to six months—after that, employees may start to forget what they’ve learned.
- Maintain Strong Cybersecurity Practices Cybercriminals often exploit outdated software to breach systems. Keep your defenses up by ensuring all software is current, and invest in reliable antivirus and anti-malware solutions to detect and prevent attacks before they reach your systems.
You’re a Target, But You Don’t Have to Be a Victim
Small, invoice-heavy industries like construction, manufacturing, and healthcare are increasingly in the crosshairs of hackers. But by understanding the tactics behind these attacks and bolstering your cybersecurity measures, you can shield your business from becoming an easy target. Using MFA, maintaining up-to-date security practices, verifying supplier details, and training your team are key steps in staying safe.
Don’t let cyber threats derail your construction business. Partner with our experienced team, who has over 25 years of experience in securing construction companies like yours. Contact us today to book a risk assessment and fortify your defenses and stay ahead of cybercriminals.