The Email That Steals a Progress Payment: Wire Fraud in Construction— ✦ —

Here is how a contractor loses six figures without a single system being hacked at their own company.

A project is mid-stream. The accounting team receives an email from a subcontractor, one they work with every week, from the real email address, referencing the real invoice number. The message says the sub has changed banks and asks that the next progress payment go to the new account. The invoice is due, the details check out, and the payment goes out. Two weeks later the actual subcontractor calls asking where their money is.

What happened: the subcontractor's email account was compromised weeks earlier. The attacker sat quietly, read the payment threads, learned the invoice schedule and the way people write to each other, and then sent one perfectly timed message. The money went to an account the attacker controls, and by the time anyone notices, it has been moved offshore.

Why Construction Is a Favorite Target

This scam, called business email compromise or payment redirection fraud, works anywhere, but construction gives attackers everything they want: large payments on predictable schedules, long chains of subs and suppliers where a changed bank account is routine, project teams working fast from phones and job sites, and public information about who is building what. An attacker does not need to breach your network. They only need to compromise the weakest email account anywhere in your payment chain, and that includes your subs, your suppliers, and your clients.

Escrow-style timing makes it worse. Progress payments and retention releases are large, expected, and time-pressured. Nobody wants to be the person who delayed a draw.

The Defenses That Actually Work

The fix is part technology, part procedure, and the procedure matters most:

  • Verify every banking change by phone, using a number you already have on file. Never use the number in the email, and never by replying to the email. This single rule defeats this scam, which is exactly why attackers write messages designed to discourage a call.
  • Require multi-factor authentication on email, for your company and, contractually if you can, for your subs. Most of these compromises start with a stolen password and no MFA.
  • Turn on banking alerts and dual approval for wire transfers and ACH changes above a threshold.
  • Add an external sender banner and payment-fraud training so the person in accounts payable recognizes the pattern under deadline pressure.
  • Check your email security settings. Attackers often add hidden forwarding rules to compromised accounts so they can keep reading mail unnoticed. Auditing for those rules is part of any serious email security review.

If a payment does go out, minutes matter. Call your bank immediately and ask for a recall and a fraud freeze, then report it to the FBI's IC3. Recovery is sometimes possible in the first day or two and rare after that.

One Question to Ask This Week

Ask your accounting team what the procedure is when a vendor emails a change in banking details. If the answer is anything other than "we call a known number to verify, every time, no exceptions," you have found the gap before an attacker does.

Protect the Payment Chain

Simplicity IT helps construction companies in San Diego County lock down email with MFA and monitoring, audit for hidden forwarding rules, and put payment verification procedures in place that hold up under deadline pressure. Contact us for a review of your payment chain security. Schedule your Discovery Call here.