From 2023 to 2024, attacks on construction companies doubled, making up 6% of Kroll's total incident response cases, according to the 2024 Cyber Threat Landscape report from risk-advisory firm Kroll. Experts at Kroll note that the uptick could be driven by how work is carried out in the industry: employees work with numerous vendors, work remotely via mobile devices, and operate in high-pressure environments where urgency can sometimes trump security protocols. All of these factors make the construction industry ripe for a cyber-attack.
Ripe For Hackers
Business e-mail compromise (BEC) - fake e-mails designed to trick employees into giving away money or sensitive information - made up 76% of attacks on construction companies, according to Kroll. These e-mails look like document-signing platforms or invoices to socially engineer users into giving away information.
These
tactics are having a higher success rate in smaller construction companies for
a few reasons:
- They deal
with a lot of suppliers and vendors. Construction companies work with many suppliers and vendors, and each
vendor can be a weak spot that hackers can exploit. For example, if a hacker
gets control of a vendor's e-mail, they can send fake invoices that look real,
tricking businesses into sending money to the hacker's account instead.
Multiply that by the number of vendors you work with, and that's a lot of
potential entry points for a hacker.
- They use
frequent mobile sign-ins. As truly remote workers, construction
employees rely on mobile devices to sign into accounts and communicate from
anywhere. This mobile accessibility, while convenient, also increases the risk
because mobile devices are typically less secure than desktops or laptops.
- They work in a high-stakes, high-pressure environment. In industries where delays can be costly, such as construction or health care, employees may rush to process invoices or approve transactions without thoroughly verifying their legitimacy. This urgency is precisely what attackers count on to get around standard security checks.
Your Industry Could Be Next
Construction companies are not the only ones experiencing more attacks. Small manufacturing companies, higher education institutions, and healthcare providers that lack the robust security infrastructure of larger industry players are also examples of industries seeing a rise in cyber-attacks. These industries, like construction, deal with numerous vendors and urgent invoices, making them prime targets for business e-mail compromise and invoice fraud.
How To Protect Against BEC And Invoice Fraud
1. Use Multifactor Authentication (MFA)
Accounts
that use MFA are 99% less likely to be attacked, according to the Cybersecurity
and Infrastructure Security Agency. MFA requires multiple forms of verification
before granting access to sensitive information. Even if hackers obtain login
details, they can't access accounts without the second credential, typically a
mobile device or a biometric scan.
2. Always Verify Supplier Information
One of the
simplest yet most effective measures is to verify the authenticity of invoices
and supplier information. Establish a protocol where employees are required to
double-check the details of any financial transactions directly with the
supplier through a known and trusted communication channel, such as a phone
call.
3. Keep Employees Trained On Common Attacks
Employee
training is a vital component of a comprehensive cybersecurity strategy.
Regular training sessions on recognizing social engineering and phishing
attempts and understanding the importance of following verification protocols
can empower employees to act as the first line of defense. The Information
Systems Audit and Control Association recommends cyber security awareness
training every four to six months. After six months, employees start to forget
what they have learned.
4. Maintain Strong Cybersecurity Practices
Cybercriminals
regularly exploit outdated software to gain entry into systems. Small
businesses can close these security gaps by keeping software up-to-date.
Investing in robust antivirus and anti-malware solutions can help detect and
stop attacks before they get into your systems.
Your A Target, But You Don't Need To Be A Victim
Hackers are increasingly targeting small, invoice-heavy industries
like construction, manufacturing, and health care due to their inherent
vulnerabilities. By understanding the reasons behind these attacks and
implementing robust cyber security measures, small business leaders can protect
their organizations from becoming easy targets. Utilizing MFA, maintaining
strong cyber security practices, verifying supplier information, and training
employees are essential to stopping attacks.
