Australian construction sector targeted in BEC scams

Cybercriminals are increasingly targeting Australian building and construction companies with business email compromise, the Australian Cyber Security Centre (ACSC) has warned.

In a threat alert, the ACSC said it has observed a growing trend over the past six months involving cybercriminals targeting builders and construction companies to conduct these scams.

The ACSC warned companies to be on the lookout for fraudulent emails from hacked email accounts, or from legitimate registered domain names that are similar to those used by legitimate companies.

The ACSC is urging all parties involved in construction projects to be vigilant when communicating by email, particularly when discussing bank account details or invoicing.

Recommended mitigation strategies include implementing processes to verify payment-related requests before auctioning them, securing email accounts, and implementing training and awareness activities for employees.

Tesserent CIO Michael McKinnon said in Australia the construction and manufacturing industry is one of the most vulnerable and targeted sectors for cybercriminals.

“Australia’s construction industry is highly vulnerable to not only BEC scams, but also for phishing and ransomware attacks. This is a result of years of neglect in IT spending in the sector,” he said.

“Construction companies have frequently underestimated the importance of investing in technology and now many are exposed through outdated technologies running in their business and their reliance on less sophisticated managed service providers.”

In addition, cybercriminals have discovered that construction companies are valuable targets due to the high volumes of money that change hands in the sector.

“Attackers know that large invoices worth thousands to millions of dollars regularly change hands and they want a piece of that pie. Whether it’s through fraud, scams, changing invoice details, fake supplier information — they’re targeting attacks to try and intercept payments,” McKinnon said.

“Construction companies need to urgently review their technology systems and cybersecurity defences and train staff on how to detect and report fraudulent emails.”

Image credit: ©stock.adobe.com/au/Syda Productions