September 2024 - Main Article:

Hackers Are Targeting Small Construction Companies And Other Invoice-Heavy Businesses

Between 2023 and 2024, cyber-attacks against construction companies surged, now representing 6% of all incident response cases handled by Kroll, according to their 2024 Cyber Threat Landscape report. Experts at Kroll attribute this rise to the industry's operational practices: frequent interaction with numerous vendors, reliance on mobile devices for remote work, and the high-pressure nature of the job where speed can sometimes take precedence over security measures. These elements create an environment highly susceptible to cyber-attacks.

A Lucrative Target for Hackers
Business email compromise (BEC) – fraudulent emails crafted to deceive employees into handing over money or sensitive information – accounted for 76% of the cyber-attacks on construction companies, as reported by Kroll. These emails often resemble document-signing platforms or invoices, tricking users into divulging confidential information.

These strategies are particularly effective against smaller construction firms for several reasons:

  • High Vendor Engagement: Construction firms often work with a vast network of suppliers and vendors, each representing a potential vulnerability that hackers can exploit. For example, if a hacker compromises a vendor’s email account, they can send convincing fake invoices, leading companies to mistakenly transfer funds to the hacker’s account. The more vendors a company deals with, the more entry points there are for potential attacks.
  • Frequent Mobile Access: Construction workers, being highly mobile, often rely on mobile devices to access accounts and communicate from various locations. While this mobility is convenient, it also poses a security risk since mobile devices are generally less secure than traditional desktops or laptops.
  • Pressure-Driven Decisions: In industries where delays are costly, such as construction or healthcare, employees might rush through processing invoices or approving transactions without thoroughly checking their legitimacy. Hackers exploit this urgency to bypass normal security procedures.

Your Industry Might Be Next
It’s not just construction companies experiencing this uptick in cyber-attacks. Small manufacturing firms, educational institutions, and healthcare providers, which often lack the robust security measures of larger organizations, are also seeing an increase in cyber-attacks. These sectors, like construction, handle numerous vendors and time-sensitive invoices, making them prime targets for business email compromise and invoice fraud.

Strategies to Guard Against BEC and Invoice Fraud

  1. Implement Multifactor Authentication (MFA)
    The Cybersecurity and Infrastructure Security Agency notes that accounts protected by MFA are 99% less likely to be compromised. MFA requires multiple forms of verification before granting access to sensitive information. Even if hackers obtain login credentials, they cannot access accounts without a secondary form of authentication, such as a mobile device or biometric scan.
  2. Consistently Verify Supplier Information
    A straightforward yet highly effective measure is to confirm the legitimacy of invoices and supplier information. Establish a protocol that requires employees to verify the details of any financial transactions directly with the supplier through a known and trusted communication method, like a phone call.
  3. Regular Employee Training on Cyber Threats
    Regularly educating employees on common cyber threats is essential to a robust cybersecurity strategy. Training sessions on recognizing social engineering and phishing attempts, along with understanding the importance of verification protocols, can empower employees to act as the first line of defense. The Information Systems Audit and Control Association recommends cybersecurity awareness training every four to six months to prevent employees from forgetting what they’ve learned.
  4. Adopt Strong Cybersecurity Practices
    Cybercriminals frequently exploit outdated software to infiltrate systems. Small businesses can mitigate these risks by keeping software up to date. Investing in reliable antivirus and anti-malware solutions can also help detect and neutralize threats before they infiltrate your systems.

You’re a Target, But You Can Protect Yourself
Hackers are increasingly focusing on small, invoice-heavy industries like construction, manufacturing, and healthcare due to their inherent vulnerabilities. By understanding the factors driving these attacks and implementing strong cybersecurity practices, small business leaders can significantly reduce the risk of falling victim. Implementing MFA, adopting rigorous cybersecurity practices, verifying supplier information, and regularly training employees are key steps in defending against these threats.