As part of the FBI’s InfraGard program, HCSS has been made aware that a specific type of scam has been increasingly common in the construction industry. This scam is called a Business Email Compromise (BEC), and is often a long-running operation with several distinct phases.

How Can This Affect Me?

Since March 2021, the FBI has observed scammers impersonate construction companies in order to defraud the owners of projects. Scammers have exploited won, in-progress, and completed project communications as a part of these campaigns. Losses reported have ranged from five figures to over one million dollars. In 2020, $1.8 Billion was lost to BEC scams across all industries, as reported to the FBI.

BEC Campaigns follow a common pattern : 

1. Research is conducted to find suitable targets to defraud and associated companies to impersonate.
2. Scammers register a company name similar to a legitimate company. For example, FamousConstruction.com might be used as “FamousContractors.com” or “FamousConstruction.net” to trick you into thinking that you are dealing with your normal vendor.
3. A carefully crafted email is sent to the legitimate company requesting a change of Automated Clearing House or Direct Deposit details via a spoofed email address from the similar domain created in step 2.
4. The customer makes the Automated Clearing House / Direct Deposit change
5. The next payment(s) go to the fraudulent account

As the audit cycles for some accounts can take a while to catch up, these payments may run several times before they are caught. 

To mitigate the risk several actions can be taken : 

• If a request to change payment details is “Urgent,” I would exercise an abundance of caution
  •  This can cause us to bypass our normal processes and checks in order to be helpful to our partners. 
• Confirm any changes to payment details via an out-of-band communication.
  • As these requests are largely coming in via email, confirm with the requesting party via a known contact phone number that they are making the request (in the case of a request via phone call, I would request an email from the requestors company email account, and then also verify via the known contact phone number).
• Carefully checking email addresses against what you would expect. 
  • If you have a known contact, copy their email address from your email address book, then use CTRL+F to find it in the requesting email. If the find function is unable to locate the email from your address book, you know to look for more details (and call the requestor).
• Review the procedures for vetting account information changes
  • make sure any changes are all double-checked by different staff members and that part of the process is an out-of-band communication with a known entity at the requestor’s company
• Common Sense safety
  • If you’ve never received an email from the Vice President of Billing at this customer, would you expect them to email you to change the ACH, or would that come from the billing contact you’re familiar with?

If you have any questions or would like more information, please contact us at HCSS (800-444-3196) or via email at support@hcss.com.

We also have an online community board where we discuss topics regularly, and post updates to industry vulnerabilities like this one: IT Pros HCSS Community – Construction BEC Notice

Links and Resources : 

Public information regarding this scam can be found at the FBI’s website linked here: Business Email Compromise — FBI. 

Home (infragard.org)
InfraGard_Brochure_10-11-2018.pdf
Business Email Compromise — FBI
FBI warns of BEC scammers impersonating construction companies (bleepingcomputer.com)