A mid-size general contractor in the Southeast gets an email from what appears to be their concrete supplier. Invoice attached, slightly different bank account than usual. The project manager pays it — they’re buried in a deadline and the amount looks right.

$85,000 gone. The real supplier never sent that email.

Business email compromise targeting construction companies has become one of the most common and damaging cyber threats in the industry. But it’s not the only one.

Why Construction Is a Tier-1 Target

IBM’s X-Force 2026 Threat Intelligence Index ranked manufacturing and construction as the most-attacked sector for the fifth consecutive year, accounting for 27.7% of all incidents tracked. The reasons are structural.

High-value transactions happen constantly. Construction moves serious money — subcontractor payments, material orders, equipment leases. Every transaction is an opportunity for wire fraud.

Multiple parties communicate over email. A typical commercial project involves the GC, 10-20 subcontractors, suppliers, architects, engineers, and the owner — all exchanging invoices, change orders, and payment instructions over email. That complexity creates attack surface.

Cybersecurity investment is low. Construction firms of all sizes tend to underinvest in security compared to industries like finance or healthcare. Small and mid-size contractors often have no dedicated IT staff.

Project data is valuable. Architectural drawings, bid documents, contracts, and subcontractor agreements contain sensitive business intelligence worth stealing.

4X increase in supply chain attacks since 2020

The Three Attacks Hitting Construction Right Now

Invoice fraud / BEC. An attacker monitors email traffic, waits for a real invoice to be sent, then sends a near-identical email from a spoofed domain with updated payment details. The timing is designed to look routine. Verification by phone — not email — is the only reliable defense.

Ransomware targeting project files. Attackers encrypt CAD files, project management software, and document archives. A construction firm mid-project can’t afford weeks of downtime. Ransom demands in the construction sector average $1.2M.

Supply chain compromise. IBM found large supply chain and third-party breaches have quadrupled since 2020. For construction, this means software vendors, estimating tools, and project management platforms used across the industry are increasingly the entry point.

What to Do

// CONSTRUCTION CYBERSECURITY CHECKLIST

  • Verify every payment instruction change by phone — call the supplier directly using a number you already have, not one in the email
  • Train project managers and accounting staff to recognize invoice fraud — it's the highest-risk role in your company
  • Enable MFA on email accounts — especially anyone who handles payments or project communications
  • Back up project files, CAD drawings, and contracts daily to an isolated location
  • Audit your subcontractor and supplier email domains — one letter off is a red flag
  • Limit who can authorize wire transfers — require dual approval for amounts over a set threshold
  • Review cyber insurance coverage — confirm it covers ransomware and wire fraud

The Phone Call That Saves You

The single most effective defense against BEC and invoice fraud in construction is a callback policy: any change to payment instructions requires a live phone call to a verified number before the payment is made.

This policy costs nothing to implement. It requires no software. It doesn’t slow down your operation in any meaningful way. And it stops nearly every BEC attack cold, because the attacker has no way to answer your call.

Make it a written policy. Make it non-negotiable. Make sure every project manager and accounting staff member knows it applies to every payment change, every time.

Construction Industry Cybersecurity Survival Guide

Our Amazon book covers the cyber threats targeting contractors and construction firms — ransomware, BEC, invoice fraud, and how to protect your projects, payroll, and reputation.

View on Amazon →