If it feels like your company gets more phishing and payment-scam email than businesses your size in other industries, you're not imagining it. Construction is one of the most-targeted sectors for business email compromise (BEC), and the reason is simple: large sums of money move between owners, general contractors, subcontractors, and suppliers constantly, and a lot of it moves on the strength of an email.
In its 2024 Internet Crime Report, the FBI's Internet Crime Complaint Center (IC3) attributed about $2.8 billion in reported losses to business email compromise, one of the costliest categories of cybercrime it tracks. (FBI IC3, 2024)
How the scam actually works
The most common version is the payment-change email. An attacker who has been reading email traffic (or just imitating a vendor) sends a message that looks like it's from a supplier or subcontractor: "We've changed banks. Please update our remit-to information for the next draw." The banking details are the attacker's. By the time anyone notices, the wire is gone, and wires are extremely hard to claw back. A related version targets your own staff: a fake email "from the owner" telling accounting to release a payment urgently.
Why contractors get hit more
Three reasons. Payment changes are genuinely routine in construction, so a fraudulent one doesn't stand out. Email addresses are easy to find on bid documents, lien paperwork, and project directories. And field-heavy teams often approve things quickly from a phone, without the second look they'd give at a desk.
What actually stops it
No single tool solves this; it takes a layered setup:
- Email security filtering that catches impersonation, lookalike domains, and known BEC patterns before they reach the inbox.
- Multi-factor authentication (MFA) on every mailbox, so a stolen password alone can't turn into an attacker reading your email for weeks.
- A payment-verification rule everyone follows: any change to banking or remit-to information is confirmed by a phone call to a known number, never a number or link from the email itself.
- Microsoft 365 hardening: conditional access, mailbox rule monitoring, and alerts on suspicious forwarding, which is often the first sign an account is compromised.
- Managed EDR on devices so a click that does slip through doesn't quietly install something worse.
- Staff awareness of payment-change scams, so the person who cuts the check knows to slow down and verify before any money moves.
The technical controls cut the volume dramatically; the payment-verification habit is what saves you on the one that gets through. Both matter.
Part of our guide to IT for construction and trades companies in Northern Virginia. See how Sentry supports construction and trades, or book a free assessment.