Report a cybercrime, cyber security incident or vulnerability.
Report

What are you looking for?

You can search for keywords to find pages that can help you e.g. scam
First published: 06 Jul 2021
Last updated: 06 Jul 2021

Content written for

Individuals & families
Small & medium business
Large organisations & infrastructure

The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has observed a growing trend affecting construction companies and their customers. In the past six months there has been an increase in cybercriminals targeting builders and construction companies to conduct business email compromise (BEC) scams within Australia.

In a BEC scam, cybercriminals will send fraudulent emails posing as a legitimate business. These emails typically target the customers of the business and will ask them to change bank account details for future invoice payments. Victims assume this request is legitimate and will then send invoice payments to a bank account operated by the scammer.

These fraudulent emails may come from hacked email accounts, or cybercriminals might register domain names that are similar to legitimate companies (typically by swapping letters or adding additional characters). At a quick glance, an email address may look legitimate when it is actually being operated by a cybercriminal.

Successful BECs may go unnoticed for weeks or months until the construction company follows up on missing payments.

Mitigation

All parties to construction projects should be vigilant when communicating by email, particularly when discussing bank account details or invoicing.

Other mitigation strategies include:

  • Verify payment-related requests: If you receive a request to make a large transfer or to change bank account details, you should verify that the request is legitimate before actioning it. Call the sender's established phone number or visit them face-to-face before transferring any funds.
  • Secure your email account: It is recommended that construction companies and related businesses use strong passphrases and enable multi-factor authentication on their email accounts.
  • Training and awareness: Ensure that your staff are trained to recognise suspicious emails, including fraudulent bank account changes or requests to check or confirm login details. The latter may be a phishing attack which could compromise account security.

Further advice on mitigating business email compromise is available on cyber.gov.au:

Was this information helpful?

Thanks for your feedback!

Optional

Tell us why this information was helpful and we’ll work on making more pages like it