The Australian Cyber Security Centre (ACSC) has issued a high alert for construction companies and their customers in Australia after the discovery of a dangerous new email scam. 

ACSC has reported in the past six months there has been an increase in cybercriminals targeting builders and construction companies to conduct business email compromise (BEC) scams within Australia.

In a BEC scam, cybercriminals send fraudulent emails posing as a legitimate business. These emails typically target the customers of the business and will ask them to change bank account details for future invoice payments. Victims assume this request is legitimate and send invoice payments to a bank account operated by the scammer.

According to Michael McKinnon, chief information officer, at Australia’s largest ASX-listed cybersecurity company, Tesserent, the Australian construction and manufacturing industry are one of the most vulnerable and targeted sectors for cyber criminals. 

“Australia’s construction industry is highly vulnerable to not only BEC scams, but also for phishing and ransomware attacks. This is a result of years of neglect in IT spending in the sector.

“Construction companies have frequently underestimated the importance of investing in technology and now many are exposed through outdated technologies running in their business and their reliance on less sophisticated managed service providers,” he says.

Mr McKinnon reports that cybercriminals have worked out that construction companies are ripe for the picking for an email scam, with bad actors attracted by the high volumes of money that change hands in the sector. 

“Attackers know that large invoices worth thousands to millions of dollars regularly change hands and they want a piece of that pie. Whether it’s through fraud, scams, changing invoice details, fake supplier information – they’re targeting attacks to try and intercept payments.” he said. 

“Construction companies need to urgently review their technology systems and cybersecurity defences and train staff on how to detect and report fraudulent emails.”