Construction Industry targeted by Cyber Criminals

Cybercriminals are targeting construction companies to conduct business email compromise scams(BEC’s). All parties to construction projects should be vigilant when emailing about invoices and bank details.

By Davichi Cyber Team

Security alert banner with red lasers and a vault door

Our friends at the ACSC (Australian Cyber Security Centre) have observed and warned us about a growing phishing trend affecting construction companies and their customers. In the past six months there has been an increase in cybercriminals targeting builders to conduct business email compromise (BEC) scams within Australia.

The goal of these scammers is to steal money or sensitive information from unsuspecting victims through phishing campaigns, with some examples being fake invoices for payment that are emailed as attachments which actually install malware on your computer if you click it; emails containing bank account details seeking verification so they can transfer funds out of victim’s accounts into theirs; requests for transfers over insecure channels such as Skype message chat instead of using secure banking websites where transactions would be encrypted end-to-end.

Successful phishing threats may go unnoticed for weeks or months until the construction company follows up on missing payments.

Be vigilant against phishing

Phishing (pronounced ‘fishing’) are scams that are made to appear as if they were sent from individuals or organisations you think you know, or you think you should trust. Criminals can steal credentials using phishing techniques and then do further harm, using those compromised credentials to login and send out malicious or fraudulent content to your contacts.

Phishing is not just limited to email. These scams are delivered via SMS, instant messaging and social media, and pretend to be trusted organisations like:

  • State and Territory police or law enforcement
  • utilities such as telecommunications, postal services, power and gas companies
  • banks, and other financial institutions
  • Government departments, such as the Australian Taxation Office, Centrelink and Medicare, or government services such as myGov.

Reputable organisations will not call, SMS or email to verify or update your information. This includes companies such as Amazon, PayPal, Google, Apple and Facebook.

What can you do to protect yourself?

If you have any involvement in any construction projects you need to be vigilant when communicating by email, particularly when discussing bank account details or invoicing.

Some strategies include:

  • Verify payment-related requests: If you receive a request to make a large transfer or to change bank account details, you should verify that the request is legitimate before actioning it. Call the sender’s established phone number or visit them face-to-face before transferring any funds.
  • Secure your email account: It is recommended that construction companies and related businesses use strong passphrases and enable multi-factor authentication on their email accounts.
  • Training and awareness: Ensure that your staff are trained to recognise suspicious emails, including fraudulent bank account changes or requests to check or confirm login details. The latter may be a phishing attack which could compromise account security.

Further advice is available on

If you haven’t already done so, have a read of our blog: What to do if you think you’ve been hacked.

If you would like to discuss any of the the above our Davichi Assure team are happy to have a discussion with you, so reach out  via email: or give us a  phone call on 07 3124 6059.

Need more information?

For more information, Click Contact Us, or call us on +61 7 3124 6059 and speak to a Davichi Representative Today!

Latest News

Lets Talk

Please fill in this form, and our sales team will get back to you as soon as possible.