Through discussions with our client base, we have heard of increasing phishing attacks in the construction industry. There are two primary vectors—one which is targeted at the customer and the other towards the contractor. The attack is similar but with one, you are able to directly mitigate the risk, while the other requires an established policy with your customer.
Here is what happens: your customer receives a letter or email which looks quite authentic carrying your company’s branding, names, addresses and phone numbers. The content of the letter is requesting a change to the payment account.
The customer alters their payment destination unbeknownst to you. When you contact them in regards to a late payment, they immediately profess to making the payment. When you inquire further, you find they routed the payment to an account unrelated to you. At this point, it is difficult, if not impossible to recover these fraudulently rerouted payments.
What to do? One way to thwart this scam is to establish a policy with your customers that the payment terms established at contract signing will not change via email. Instruct your client to send any suspicious emails to you so you may investigate further and possibly bring in law enforcement. For any existing contracts, you should reach out to your customers immediately and inform them of this policy as well.
While the aforementioned scam chiefly targets your clients, you might also be the target of this same fraudulent behavior as a general contractor. You might receive a request from one of your subcontractors about a change in payment routing. You should call your trusted contacts at the subcontractor to validate the request before changing any payment details and instruct your AP team to do the same.
This scam will most likely only increase over time. With a targeted and clear policy and communicating that to your customers and sub-contractors, this risk can be mitigated.