top of page

The hidden costs of cybercrime for construction: a case study

At first glance, the construction industry might not seem like the most obvious choice as a target for cybercriminals. However, as the UK’s largest industry and one with a growing reliance on technology as a business requirement, the building sector is now increasingly vulnerable to the issue of cybercrime. In fact, it’s now the fourth most targeted industry in the UK, with 46% reporting attacks of some kind in the past year alone, up from 40% the previous year.

Here we take a look at a real-life example of what happened when a construction company, who we will call ConstructCo, faced just such an attack, how it was handled, what the consequences were, and what more can be done by other construction companies when facing a threat that is increasingly difficult to navigate.

The cyber attack

The client of ConstructCo construction company received an email, purportedly from ConstructCo, containing a fake invoice for a payment of £17,000. When the client tried to pay the invoice, the construction company’s bank came back to them to say that the bank details on the invoice weren’t recognised.

Alarm bells were raised.

What happened next

The client contacted ConstructCo to explain what had happened. However, the office manager – a sub-contractor – replied only that ConstructCo’s bank details had not changed. He, however, didn’t take any further action to investigate the level of this fraud attempt. This included making the owners of the company aware of what had happened at the time.

How it was handled

While the office manager did call the IT company to change the email account passwords, he didn’t mention what happened or explore if there was any further compromise or risk to ConstructCo or their clients.

Thanks to what was perhaps a limited awareness of, and knowledge around cyber security, the contracted employee sadly behaved like nothing serious had happened, failing to call the client to explore the situation further and trying his best to bury the entire thing as fast as possible.

The consequences

As the situation was handled so poorly, with both the construction company and the client put at risk, ConstructCo not only lost faith in their employee, who soon left the business but post the client lost faith in ConstructCo due to the lack of action given to their initial concerns.

How could the officer manger have handled this differently?

By making the key decision makers, his employees, aware of the attack, so that a complete assessment of the situation could be made. An investigation should have been carried out into how the fake invoice was sent to the client. Was this a case of a Business Email Compromise (link to definition) or a phishing attack (link to definition)? Was there a risk to other clients and could messaging have been put out warning them of this threat? By informing clients of attacks that might affect them ConsructCo could have turned this into a positive message about them protecting their clients instead of a situation where trust was lost.

What can be learnt from this company’s experience?

The problem here was twofold: the company was left vulnerable, not only to the fraudulent email, but also by their employee’s lack of cyber security awareness. In the case of phishing, the best way to protect against such requests is to learn how to spot the signs, and there are several things that can indicate that a message is a phishing attempt. These include:

· mismatched URLs and redirects. Phishing attack emails often display links within the body of the fraudulent messages.

· the sender using a Gmail or other public email address rather than a corporate email address.

· messages that convey unusual urgency. A common quality of phishing attack emails is that they try to get people to panic, act carelessly and not think through their actions.

· think before responding to unauthorised account-related emails. People who orchestrate phishing scams frequently try to lure their victims by mentioning how their accounts showed suspicious activity and have been suspended.

· be suspicious of messages that warn of severe consequences for inaction. Hackers perpetually look for creative ways to impersonate unsuspecting users.

· spelling and grammar mistakes. Phishing attack emails exist globally, which means they may originate from people who speak languages other than English.

· beware of invoices from a service that you haven't used, as attachments can often install malware automatically (without your knowledge) on your computer when opened.

· staff awareness and training - consider ways that someone might target your organisation, and make sure your staff all understand normal ways of working (especially regarding interaction with other organisations), so that they're better equipped to spot requests that are out of the ordinary.

· Review your current security policy. Is it up-to-date and comprehensive enough to ensure all elements of your business are cyber resilient?

For more information on how to stay more cyber resilient, visit our Core Membership page where, by simply joining up today, you have access to receive practical guidance on the cyber security basics. Upgrade to a flexible paid-for range of options to suit the level of support required including Security Awareness Training and Business Continuity Exercises.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page