How Cyber Criminals Are Targeting Construction Firms

A construction company wires $1.2 million to pay a bill. The invoice looks right. The sender’s address matches. The amount is exactly what they expected. It’s all pretty routine. A junior accountant updates the account details and clicks send. 

Within seconds, the payment bounces across 25 different accounts around the globe before vanishing forever. Over a million dollars stolen in the blink of an eye. 

This isn’t a scene from a new heist movie. It’s a real-world scenario that played out for a client of The Baldwin Group, one of the largest insurance brokerages in the U.S. It’s also a stark example of how the definition of jobsite risk is being rewritten. For generations, builders have focused on tangible threats like stolen lumber, equipment damage, and workplace injuries. While those risks haven’t gone anywhere, a new and more insidious type of fraud has emerged, targeting the information and money that flows through every modern construction project. 

“There are 16-year-old hackers sitting in basements in different places around the world, and they are getting much more sophisticated,” says Joseph Charczenko, partner and regional president at The Baldwin Group. “From an IT tech perspective, when they’re competing with a 45-year-old contractor in Tuscaloosa, that 16-year-old is going to win every time.” 

Fraud is no longer just about what happens inside the fence line. It’s about what happens inside your inbox, your software, and your bank account. 

The Art of Digital Deception 

The most effective digital attacks are successful because they exploit the normal, day-to-day operations of a construction business. While most everyone is now familiar with basic email phishing, a newer and more dangerous scheme called Business Email Compromise (BEC) is on the rise, and it’s often executives who are targeted. 

“Business Email Compromise is a little bit more sophisticated in that the threat actor will get into someone’s email,” says Emily Selck, senior director and national practice leader of cyber strategy at The Baldwin Group. “They’ll sit in there for sometimes 60 or 90 days, just monitoring what that person talks about.” 

During this surveillance phase, the attacker learns an executive’s communication style, key contacts, and payment schedules. They can create rules within the email client, such as automatically forwarding copies of messages or moving specific emails to obscure folders, to hide their activity from the user. Once they have a handle on the business and its rhythms, they strike. “They’ll start firing off emails on behalf of the executive,” Selck says. “That can target employees, that can target external parties, that can target whomever they think they could have some sort of financial gain from.” 

This is how a legitimate-looking invoice for $1.2 million ends up with fraudulent wiring instructions. The attacker, having monitored the correspondence, knows exactly when the payment is due and who to impersonate. To an unsuspecting accountant, the request appears completely authentic. 

Another common cyber attack is ransomware. Here, the attackers are hijacking a company’s ability to operate. “We just had a client that had a $10 million ransom demand, and it took them a week and a half to get their systems back,” Charczenko says. “It’s taken them a solid two months to recreate parts of the system that they couldn’t recreate even once they finalized negotiations.” 

The indirect costs of a ransomware attack, including project delays, reputational damage, and loss of client confidence, are often far greater than the ransom itself. “The disruption to the business can’t ever fully be recouped,” Charczenko says. “If you don’t have a great defense around how you prevent those things from happening, the insurance piece almost doesn’t matter.” 

When Your Own Tech Turns Against You 

As builders adopt more technology to improve efficiency and safety, they can also open new doors for digital threats. Drones, wearable sensors, and smart building systems, while powerful tools, can also be points of vulnerability.  

This connectivity means everyone involved in a project, from the developer down to a subcontractor, can be an unwitting gateway for a larger attack. The infamous 2013 Target data breach, which compromised the data of millions of customers, was initiated through a connection established by one of its HVAC vendors. “Probably the biggest misconception with builders is that they don’t think they’re exposed, that they’re not a target,” Selck says. “We’re just not finding that’s the case.” 

The rise of artificial intelligence adds another layer of complexity. While AI powers better security tools, it also lowers the technical barriers for criminals. “AI is helping any hacker write code. It’s helping them walk through the entire process,” Selck says. 

These aren’t targeted attacks against specific companies either. They’re automated searches for vulnerabilities, with successful breaches often surprising even the attackers. 

The ways that social engineering is being used to manipulate and deceive are also growing more advanced. Criminals now target tools like Microsoft Teams and Slack. They’ve used deepfake voices in calls. One tactic involved criminals messaging through Teams, asking about vacations they know someone took based on out-of-office messages they’ve read. The schemes are constantly evolving as security teams play catch-up. “The threat actors are typically a couple steps ahead of where we are,” Selck says. 

The irony is that the best defense against these sophisticated schemes is surprisingly low-tech. “There’s so many times where the transfer of funds, the transfer of goods, the transfer of whatever it is, can be prevented just because somebody picked up the phone,” Selck says. “We can’t emphasize it enough.” 

Traditional Fraud Hasn’t Disappeared 

Protecting a company from this new generation of fraud requires a layered defense that combines technology, procedure, and human diligence. 

The first and most critical layer is the human one. “Training your employees on what the types of procedures are within your company, especially when you’re transferring funds, is the most critical thing that you could possibly do,” Selck says. “All the security controls in the world won’t fix somebody providing information to the wrong party or clicking on the wrong thing.” 

This training must be paired with rigid, specific procedures, especially around who has the authority to change payment information. “The bank accounts don’t change that often. It’s a bit of a pain when they do change, but make sure that you’re verifying with two or three people on both sides that those instructions are correct,” Charczenko says. “If there’s not a multi-step process in place for that, it’s just a huge miss.” 

While digital threats escalate, traditional fraud hasn’t disappeared, it’s just become more brazen. Charczenko describes cases of people who never worked on a site showing up in a brand-new hard hat and vest, only to stage a slip-and-fall and claim an injury on the jobsite. 

“This isn’t like somebody got hurt, and we’re arguing about ‘did they get a bruise, or did they get a sprain?’,” Charczenko says. “This is a situation where this person never worked on the job site, and they’re saying that they did.” 

In New York specifically, Charczenko estimates that 50 to 75 percent of worker injury claims are fraudulent. 

This underscores the need for what Charczenko calls “site hardening” with perimeter fencing, badging systems, and comprehensive camera surveillance. Equally important is a clear system to follow for documenting everything, even when nothing happens. 

“There’s all sorts of examples where nothing happened, but nobody wrote it down. Then, three years later, somebody said something happened,” Charczenko says. Daily journals, digital documentation, and formal accident investigation procedures all become critical when defending against fraudulent claims years later. 

Why Cyber Preparedness Is No Longer Optional 

The construction industry is at a crossroads. The same technological advances making building more efficient also expose companies to unprecedented risks. The solution isn’t retreating from technology but approaching it with appropriate caution and investment. For companies looking to increase their tech defenses, Selck recommends two key elements: a managed detection and response (MDR) tool backed by a Security Operations Center (SOC) for 24/7 monitoring, and a formal incident response plan. 

“The protection that you need to take around tech fraud, cyber fraud, has to increase as the usage increases,” Charczenko says. “We just haven’t seen that happen, particularly with the small to mid-sized builder.” 

The constant evolution of these threats means that no one can afford to be complacent. “If there’s one thing that people can take away, it’s that no one is immune from these types of incidents happening,” Selck says. “People are very easily duped.” 

If there are finances or financial information involved in any ask, don’t hesitate to go analog. Pick up the phone, or speak in person. In an age of deepfakes and AI-powered scams, hearing a familiar voice on a known phone number is now the gold standard of verification. 

For an industry built on trust, handshakes, and reputation, adapting to assume every email is suspicious feels foreign. However, the cost of maintaining old habits in a new threat landscape can be devastating. 

Navigating this complex risk environment is where specialized partners are essential. It’s why firms like The Baldwin Group, who advise builders on these exact threats, now see a comprehensive cyber insurance policy as a necessity, providing critical resources in the event of a breach. 

“Even if you’re not buying the insurance,” Charczenko says, “investing in the protection is as important.”