From 2023 to 2024, attacks on construction companies doubled, making up 6% of Kroll’s total incident response cases, according to the 2024 Cyber Threat Landscape report from risk-advisory firm Kroll. Experts at Kroll note that the uptick could be driven by how work is carried out in the industry: employees work with numerous vendors, work remotely via mobile devices, and operate in high-pressure environments where urgency can sometimes trump security protocols. All of these factors make the construction industry ripe for a cyber-attack.
Ripe For Hackers
Business e-mail compromise (BEC) – fake e-mails designed to trick employees into giving away money or sensitive information – made up 76% of attacks on construction companies, according to Kroll. These e-mails look like document-signing platforms or invoices to socially engineer users into giving away information.
These tactics are having a higher success rate in smaller construction companies for a few reasons:
- They deal with a lot of suppliers and vendors.
Construction companies work with many suppliers and vendors, and each vendor can be a weak spot that hackers can exploit. For example, if a hacker gets control of a vendor’s e-mail, they can send fake invoices that look real, tricking businesses into sending money to the hacker’s account instead. Multiply that by the number of vendors you work with, and that’s a lot of potential entry points for a hacker.
- They use frequent mobile sign-ins.
As truly remote workers, construction employees rely on mobile devices to sign into accounts and communicate from anywhere. This mobile accessibility, while convenient, also increases the risk because mobile devices are typically less secure than desktops or laptops.
- They work in a high-stakes, high-pressure environment.
In industries where delays can be costly, such as construction or health care, employees may rush to process invoices or approve transactions without thoroughly verifying their legitimacy. This urgency is precisely what attackers count on to get around standard security checks.
Your Industry Could Be Next
Construction companies are not the only ones experiencing more attacks. Small manufacturing companies, higher education institutions, and health care providers that lack the robust security infrastructure of larger industry players are also examples of industries seeing a rise in cyber-attacks. These industries, like construction, deal with numerous vendors and urgent invoices, making them prime targets for business e-mail compromise and invoice fraud.
How To Protect Against BEC And Invoice Fraud
1. Use Multifactor Authentication (MFA)
Accounts that use MFA are 99% less likely to be attacked, according to the Cybersecurity and Infrastructure Security Agency. MFA requires multiple forms of verification before granting access to sensitive information. Even if hackers obtain log-in details, they can’t access accounts without the second credential, typically a mobile device or a biometric scan.
2. Always Verify Supplier Information
One of the simplest yet most effective measures is to verify the authenticity of invoices and supplier information. Establish a protocol where employees are required to double-check the details of any financial transactions directly with the supplier through a known and trusted communication channel, such as a phone call.
3. Keep Employees Trained On Common Attacks
Employee training is a vital component of a comprehensive cyber security strategy. Regular training sessions on recognizing social engineering and phishing attempts and understanding the importance of following verification protocols can empower employees to act as the first line of defense. The Information Systems Audit and Control Association recommends cyber security awareness training every four to six months. After six months, employees start to forget what they have learned.
4. Maintain Strong Cyber Security Practices
Cybercriminals regularly exploit outdated software to gain entry into systems. Small businesses can close these security gaps by keeping software up-to-date. Investing in robust antivirus and anti-malware solutions can help detect and stop attacks before they get into your systems.
You’re A Target, But You Don’t Need To Be A Victim
Hackers are increasingly targeting small, invoice-heavy industries like construction, manufacturing, and health care due to their inherent vulnerabilities. By understanding the reasons behind these attacks and implementing robust cyber security measures, small business leaders can protect their organizations from becoming easy targets. Utilizing MFA, maintaining strong cyber security practices, verifying supplier information, and training employees are essential to stopping attacks.
