Cyber Risk Update for Construction Companies

Stoel Rives - Global Privacy & Security Blog®
Contact

Stoel Rives - Global Privacy & Security Blog®

Scammers are always seeking new ways to target victims for Business Email Compromise (BEC) scams, where they leverage email to try to convince you to give them credentials, send them confidential information like W2s, send them money by changing things like direct deposit instructions, or give any other data that can help them profit from committing fraud.  They are getting more and more sophisticated in their deceptions, and targeting those areas they see as ‘weak links.’

Construction companies however face a particular threat, as there are a number of services and private and government web sites to which companies can subscribe to learn about construction projects that are open to bid. Often, the winning bidder ends up becoming public knowledge – ether because that information is posted publicly, or because the contract company advertises they were awarded the project. And of course, these contracts always carry a price tag that is attractive to scammers.

Fraudsters can use information from these same web sites along with other research to learn which construction companies have applied for and ultimately won bids. The higher the price tag, the bigger the target. Once the scammers get their fake web site set up (they can use tools to copy the real contractor’s web site almost exactly), they’ll then send an email to the victim posing as the contractor, including a direct deposit form (likely doctored with the contractor’s logo) and instructions to change payment information to a new account controlled by the scammers.  They might even try to play this trick on the construction company and pose as a vendor the construction company regularly pays. Once the money is transferred, it can be difficult – and often impossible – to recover.  Even if the victim has cyber insurance, whether or not any losses are covered depends on the policy.  Any access and information they obtain can also compromise the construction company’s information security, potentially increasing the likelihood of privacy breaches, ransomware attacks, or other serious security risks.

Awareness and good financial and technical controls are key to protecting against this threat.  Here are some steps your organization should consider including in your cyber security plan:

  • Establish direct deposit instructions at the start of the contract, and ensure your customers know exactly how you would change them.  For example, let them know any instructions would come only from your organization via a specific email address or phone number.
  • Also ensure your customers know how they can verify those instructions, as email addresses and phone numbers can be faked.  Have your customers confirm any changes by using the alternate communication method.  For example, if they ever get an email with new instructions, they are to call the phone number sent in the original instructions (not reply to the email, or call any phone number in the email) to confirm, and vice-versa. Scammers will do everything they can to get you to contact them for ‘verification’, so clear direction at the start of the process is important.
  • Carefully scrutinize all requests for transfer of funds. Expect secure processes and procedures from your vendors or anyone you have to transfer money to. If they don’t have a good process in place, at least have them follow yours.
  • Always ensure two people have to sign off on any changes.  At least one of them should be in management.
  • Train your company on how to spot fakes.  Consider phish-testing your own company regularly (there are subscription solutions out there that can help you manage this.)
  • If you have trouble detecting external emails, consider setting up an ‘external’ tag so your own staff can more easily catch if a scammer is trying to impersonate someone in your organization.
  • Consider subscribing to a secure email gateway to help protect your organization from phishing and scams.

Ultimately, the adage ‘an ounce of prevention is worth a pound of cure’ is borne out in cyber and financial security breaches. Take proactive steps to protect your organization, your trades and vendors, and your own clients and customers.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Stoel Rives - Global Privacy & Security Blog® | Attorney Advertising

Written by:

Stoel Rives - Global Privacy & Security Blog®
Contact
more
less

Stoel Rives - Global Privacy & Security Blog® on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.