Description of Threat
An increasing incidence of cyber fraud targeting the construction industry has come to our attention through law enforcement channels. The typical scenario observed involves cyber actors impersonating construction companies in order to divert contract payments on public and private construction projects. These schemes, a general overview of which follows, are commonly referred to as Business Email Compromises or “BECs.”
Through information obtained via the internet, the cyber criminals learn of specific construction projects, the parties involved, and in some cases the amount and other relevant contract details. The cyber criminals typically will register an internet domain that is very similar to the legitimate construction company involved (“spoofing”), perhaps adding an appellation such as “Inc.” or “Group,” or in some cases simply changing a single character. Typically, the emails will include the legitimate company’s logo and signature line. In certain cases the cyber fraudsters will then proceed to send one or more preliminary emails from the fraudulent email domain to the public or private owner, the general contractor or other client of the impersonated contractor in order to gain further information regarding the payment process and other particulars. Next, using the information they have obtained over a period of weeks or months, the cyber fraudsters send an email from the fraudulent domain to the contractor’s client requesting a change in ACH wire instructions or direct deposit account information. In some schemes, fraudulent invoices have been attached to the email requesting that the invoiced payment be directed to a specific bank account. Where the targeted payor believes the communication is legitimate and complies with the fraudulent payment instructions, the fraud is typically not discovered until the legitimate contractor contacts them inquiring about the now overdue payment.
Recent Cyber Fraud Incidents
- A funds disbursement agent utilized by contract sureties received a disbursement package from a contractor response to notification of a deposit that was issued to the contractor by the disbursement agent pertaining to a specific construction project. The disbursement package requested changes to the contractor’s remittance information, was made with added urgency, and requested that the payment be made by wire rather than via check as had been the past practice. When the disbursement agent declined to issue the payment via a wire, the contractor persisted aggressively via email requests. The contractor’s requests originated from its actual email, contained the entire package of disbursement in the correct format, and was timely with the deposit just received by the disbursement agent from the owner.
Fortunately, the disbursement agent contacted the contractor by cell phone to verbally verify. The contractor stated that he had no idea what requests the funds disbursement agent was referring to, had not submitted anything to the funds disbursement agent, and wasn't even aware of the deposit.
Further investigation revealed that cyber fraudsters had gained access to the contractor’s system, then proceeded to monitor the communications between the contractor and the disbursement agent for an unknown period of time before flagging emails from the disbursement agent as SPAM. The cyber criminals were then able to conduct the fraudulent communications back and forth with the disbursement agent without the contractor’s knowledge, until the telephone discussion with the disbursement agent disclosed the scam prior to any funds being transferred.
- In another recent scheme, a school district received a fraudulent email purporting to be from a construction company with whom the school district had contracted to build outdoor sports fields. The email attached an invoice that appeared to be from the construction company and requested that a progress payment in the amount of $356,000 be wired to a specified account. The school district complied with the payment request and only became aware of the fraudulent nature of the email when the actual construction company contacted them about the overdue payment. The FBI was notified and was able to recover a portion of the funds.
Suggested Protections Against Malicious Emails
Though by no means an exhaustive list, below are some measures that can be taken to help prevent your company from becoming a target of fraudulent schemes like the one described above:
- Consider the use of a domain protection service to notify you when similar domains to your companies are registered.
- Verify all changes in payment instructions in person or via a known, established telephone number and request that your clients do so as well.
- Implement strict protocols within your company for executing account changes.
- Carefully check all email addresses and compare to the verified email address for the parties with whom you are dealing.
- Beware of communications marked urgent or otherwise seeking to pressure you into acting quickly and/or without proper verification.
- Discuss appropriate cyber risk mitigation protection with your insurance agent.
- Have your system administrator enable security features that, by way of example 1) block malicious emails, 2) create intrusion detection systems that flag potentially suspicious emails, 3) add a banner identifying emails that originate outside your organization, 4) prevent automatic forwarding of emails to external addresses, and 5) create a rule to flag email communications where the “reply” address is not the same as the “from” address.