As updated statistics from the FBI's Internet Crime Complaint Center show, business email compromise (BEC) schemes increasingly put funds transfers at risk. Between June 2016 and December 2021, reported exposed dollar loss associated with BEC schemes was greater than $43 billion.

The FBI has previously warned construction companies about cyber actors impersonating construction companies to conduct BEC schemes.

Now more than ever construction companies must implement controls to recognize and prevent BEC scams and safeguard their fund transactions.

What is the BEC threat?

A BEC scam targets businesses and individuals performing wire transfer payments. The email account compromise (EAC) part of BEC targets individuals who perform wire transfer payments.

The BEC scam is often carried out when a cyber-actor compromises legitimate business email accounts through social engineering or computer intrusion. The result is an unauthorized transfer of funds.

The FBI has observed cyber actors impersonating construction companies to conduct BECs to defraud entities with whom the construction companies are involved in large scale projects. Cyber actors consult various publicly available sources to collect information on construction companies or the entities with which they do business. Armed with information such as project costs, bidder information, and party contact information, the cyber actors can craft fraudulent messages specific to those relationships.

Cyber actors also register domains deceptively similar to the legitimate construction company's domain, and then use these "spoofed" domains to create email accounts and send fraudulent emails containing a request to update automated clearing house (ACH) or direct deposit account information. If the recipient employee of the fraudulent email does not recognize the issue and updates the payment information as requested, the new payments will be sent to an account set up by the scammer, potentially costing the company thousands to millions of dollars in fraudulent transactions.

Addressing the BEC Threat

Construction companies can take several steps to address the threats presented by a BEC scam:

  • Verify all payment changes and transactions in-person or via a known, established telephone number. Continue to ensure contact information is current and updated.
  • Carefully check email addresses for slight changes that can make fraudulent addresses appear legitimate and resemble actual companies' names.
  • Implement robust approval procedures for vetting account change requests to prevent monetary losses.
  • Enable security features that block malicious emails, such as anti-phishing and anti-spoofing policies.
  • Educate employees on BEC scams, including preventive strategies such as how to identify phishing emails and how to respond to suspected compromises.
  • Notify customers about BEC threats and mitigation methods your company is taking, such as notifying customers of internal processes for changing or updating ACH banking information.

Security is an ongoing process

The pace of change in computer technology and communications can be bewildering. However, identifying and understanding the risks to payment information, and the tools available to construction companies to address those risks, help make this ever-evolving process more manageable.

Originally published 13 June 2022

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.