17th August 2020

Case study – Construction firms are a prime target for cyber-attacks

By Aston Lark
Construction firm

With many suppliers in the construction industry now requiring ‘Cyber Essentials’ (a Government-backed and industry-supported scheme that helps businesses protect themselves against the growing threat of cyber-attacks) as a minimum requirement, identifying cyber threats and vulnerabilities has become as important as carrying out onsite health and safety risk assessments. Unfortunately, the vast majority of cyber-related insurance claims stem from human error and no amount of risk management can prevent this.  The construction industry is particularly exposed to funds transfer fraud, with invoices between suppliers and subcontractors involved in a project being diverted or intercepted.   

CFC talk about a real life example whereby criminals swindled a small construction firm out of nearly £95,000 by impersonating a subcontractor. The scam started when an employee received a phishing email purporting to be from Microsoft regarding urgent new security features that needed to be implemented on his Office 365 account. In order to do so, he had to click on a link to verify his account details and type in his email and log-in credentials. By following what he thought was advice from a legitimate source, the employee had in fact been tricked into handing over his details to a fraudster.    

With the credentials provided the criminal could access the employee’s email account and bypass any security measures undetected. After a period of surveillance and monitoring what sort of communication was going to and from the email account, the fraudster spotted an email from a subcontractor working on a project, with an invoice attached to it, and seized the opportunity to strike. The fraudster sent an email to the project manager explaining that the firm had recently changed banks and the previous invoice had mistakenly included the old account details, and attached a new invoice with the correct account for the payment to be made into. Even though the company had verification protocols in place, on this occasion the member of staff authorising the payment didn’t carry out these procedures, and so the payment was made.     

It was several weeks later, when the subcontractor was chasing up payment, the scam was uncovered. By this time it was too late, and the funds were deemed irretrievable, leaving the construction firm to pay the invoice for a second time.  Had they not had Cyber Insurance in place, the construction company would have suffered a significant loss of £93,425.

This is just one example highlighting that even companies that don’t hold sensitive data, or don’t rely on computers systems to carry out core business operations, still have some form of cyber exposure – be it data on employees and third parties, use of email to communicate with customers and suppliers, or an online  business bank account. There are no absolutes in risk management, and with all the will in the world, humans will make always mistakes. Don’t wait to be a victim, get in touch with our specialist Cyber team now for a quote.


You can read the detailed case study on CFC’s website here.