Are Construction Companies likely to be a victim of a phishing attack?

Fifty percent of the construction companies on mainland UK are in the East and Southeast of England.

Photo of construction on bridge

Construction is big business in The East of England and is a vital part of the regional and national economy. House building and infrastructure lead the way across our region, and it is a sector that is set to grow significantly over the next 3-5 years. And with critical national infrastructure projects like the Lower Thames Crossing and Sizewell C yet to start it is an exciting time to be part of this busy sector.

Image of fishing hook over keyboard

But increasing business, more reliance on technology and general poor standard of cyber hygiene means that they are also a sector that are likely to attract the attention of cyber criminals.


Across all sectors phishing is by far the most common cyber-attack. In fact, Metacompliance found that 91% of cyber-attacks started with a phishing campaign. And once the criminals are in your network, they can steal your data and extort you to get it back.


As the Chartered Institute of Building (CIOB) CEO Caroline Gumble said: “The consequences of poor cyber security should not be underestimated. They can have a devastating impact on financial margins, the construction programme, business reputation, supply chain relationships, the built asset itself and, worst of all, people’s health, and wellbeing.


So, what is phishing?

Phishing at its most basic is a cybercrime in which a target or targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.


You might have heard of phishing, vishing, smishing, quishing, spear phishing, whaling, but all the names mean is that there are a lot of different ways that a cyber-criminal is going to try and trick you. Criminals use all communication methods, so if a new method comes out, you can be sure a criminal will be there trying to exploit it. And these criminals are experts in getting us to act in the way they want, whether that is clicking a link or downloading an attachment.


How could my building firm be targeted?

Criminals use information from all over to create phishing messages. Knowing what information about you and your company can be found by a criminal can be extremely useful in understanding what information could be included within a phish.


For example, would you believe an email as genuine if it contained your username and password in it? Did you know that if your details have been released in a data breach, usernames and passwords are just one thing that could be known, along with your IP address, address, telephone number, in fact, any sensitive information you might give to a company?


If your company has published that you have just signed a new company, XYZCementProduction, as a client, a criminal could use that information to create a fake domain, XYZCementProduction.com to trick you into communicating with them.

Image of a hard hat on drafting desk

Would you click on a link which talked about the new Health and Safety e- licences for building sites?


If a message contains any of the following, really think before you click:


Urgency “you must do this now” – here the attacker is trying to induce you to panic so that you don’t question the action being asked of you.


Authority – messages appearing to come from a boss, colleague, or company you engage with regularly, or with information they shouldn’t have unless they are genuine (your IP address for example).


Mimicry – attackers send messages that exploit your daily habits such as “please review your calendar entry – click here”.


Curiosity – enticing you with something like “breaking news”.


Why do cyber criminals do it?

Basically, they want access to your systems and money.


Phishing messages are usually designed to get you to click a link or download an attachment. They hope to either steal your login credentials or install malware on your systems, and once they are in your system, stealing your data is likely the next step for them. And after that they may hold you to ransom to get it back, they might just publish it all on the internet or they could simply destroy all your company data without asking for anything.


What can you do?

All phishing depends on an element of social engineering or interaction with a person, so you really need to make staff engagement and upskilling a priority.


Did you know that your local police force has Protect officers who will do free staff awareness training? Or if you would like a series of training sessions the ECRC has affordable student services who can deliver a bespoke training session tailored to your company and the risks it faces.


Have a plan in place to deal with phishing attempts and successful attacks. Make sure your staff know how to report an attack and don’t put barriers in place to reporting, such as disciplinary action.


Phishing attacks can be very sophisticated and extremely difficult to guard against but making sure you know how and when an attack has taken place means that you can react in the right way. You really don’t want a staff member too scared to report a successful phishing attack and letting an attacker have an extended period of time in your systems.


The National Cyber Security Centre (NCSC) have created an enterprise Outlook add-in for staff to be able to report email phishing directly from their email box. The NCSC will the actively seek to disrupt the criminals sending these messages, protecting you from them as well as the wider community.


They have also created an e-leaflet that you can access at Cyber security for construction businesses - NCSC.GOV.UK


If you wanted to test your and your staff’s knowledge about phishing why not have a go at our fun phishing quiz? https://www.ecrcentre.co.uk/fun



Further guidance & support

You can contact the Cyber Resilience Centre for guidance and support through our e-mail https://www.ecrcentre.co.uk/contact-us or use our online booking system to make an appointment with one of our team.

We also provide free guidance on our website and we would always encourage you to sign up for our free core membership https://www.ecrcentre.co.uk/core-membership-sign-up

Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.

Reporting Cyber Crime


Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).




The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.