top of page

Hammering home the message about cyber awareness, security and resilience

Over the last 18 months, cyber criminals have turned their attention even further towards the construction industry, with a spate of attacks being suffered by private and public bodies.

The Office for National Statistics reports that there are approximately 819,000 self-employed construction workers in the UK. A government report states the damage a successful cyber-attack costs small businesses is on average more than £8,000. This is pretty much concrete evidence for those unaware of cyber pitfalls and that the risks are weighty enough for a business to go under.

There’s often a misconception that cyber resilience is a costly, complicated solution to a problem (cyber-attacks) which only affect big-name developers, not small family-run building companies in quiet towns. This couldn’t be further from the truth.

Social engineering attacks, known as phishing, are one of the most common ways for a business system to be infected and anyone can be targeted. Criminals can use publicly known information about you to target their attacks. This intel can be gathered from a variety of sources such as a company website, press coverage, social media posts – if your personal accounts aren’t private you may want to reconsider this.

A new phishing campaign targeting self-employed workers has been catching innocent people out recently. The email appears on face value to have been sent by the official UK Government and invites the recipient to claim for the fifth Self-Employment Income Support Scheme. This is a scam. The ‘from’ field says ‘’, however, the actual sender address is ‘’, which is a clear indicator that something is amiss.

Also be aware of business email compromise (BEC), which is where a criminal gets access to an email box. They set up forwarding rules which directs any emails containing financial keywords such as ‘invoice’ or ‘payment’ to another inbox. They may also impersonate the victim by sending a change of banking details or set up a fake email account with very close spelling (typosquatting) to take over the communication. Take a look at this video of how outsiders try to get in.

Here are some quick and easy things you can do to mitigate the risks:

  • Check your email regularly for any forwarding rules

  • Enable two-factor authentication on email accounts (this is where a code is sent via text to your phone or by an authenticator app for you to validate you are the rightful user of the account)

  • Ensure any staff processing invoices are aware of these scams and receive regular training (the ECRC’s offers security awareness training through its student services)

  • Always check any change of payment details with the sender – using details held previously and not from the recent email

  • Don’t click on any suspicious email links or attachments

  • Ensure you are backing up your data

The foundation for safeguarding your business is available free of charge through ECRC core membership, with a wealth of toolkits, cyber updates and hints and tips to help protect against cyber breaches. For something more in-depth, affordable security awareness training is available our student services. Please get in touch to let us know how we can help you build on your resilience.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page