The ACSC has issued a medium alert for construction companies and their customers after it observed that in the past six months, there has been a rise in cybercriminals conducting business email compromise (BEC) scams, targeting builders and construction companies within the country.
The ACSC explains that a BEC scam involves cybercriminals sending fraudulent emails posing as a legitimate business.
The emails target customers and will ask them to change bank account details for future invoice payments. Victims tend to assume that the request is authentic, and will then send invoice payments to a bank account owned by the scammer.
The ACSC says these fraudulent emails may come from hacked email accounts, or cybercriminals might register domain names that are similar to legitimate companies (typically by swapping letters or adding additional characters).
At a quick glance, an email address may look legitimate when it is actually being operated by a cybercriminal. It may even go unnoticed for weeks or months until the construction company follows up on missing payments.
“Australia’s construction industry is highly vulnerable to not only BEC scams, but also for phishing and ransomware attacks,” he says. “This is a result of years of neglect in IT spending in the sector.”
“Construction companies have frequently underestimated the importance of investing in technology and now many are exposed through outdated technologies running in their business and their reliance on less sophisticated managed service providers,” he notes.
McKinnon reports that cybercriminals know which construction companies are ripe for the picking and are attracted by the high volumes of money that change hands in the sector.
“Attackers know that large invoices worth thousands to millions of dollars regularly change hands and they want a piece of that pie. Whether it's through fraud, scams, changing invoice details, fake supplier information—they’re targeting attacks to try and intercept payments.”
McKinnon concludes: “Construction companies need to urgently review their technology systems and cybersecurity defences and train staff on how to detect and report fraudulent emails.”
The ACSC has laid out mitigation strategies to reduce, and at the very best, prevent these BEC scams. These include:
Verify payment-related requests: If you receive a request to make a large transfer or to change bank account details, you should verify that the request is legitimate before transacting. Call the sender's established phone number or visit them face-to-face before transferring any funds.
Secure your email account: It is recommended that construction companies and related businesses use strong passphrases and enable multi-factor authentication on their email accounts.
Training and awareness: Ensure that your staff are trained to recognise suspicious emails, including fraudulent bank account changes or requests to check or confirm login details. The latter may be a phishing attack which could compromise account security.