The specter of cyberattacks has grown alongside the construction industry’s increased reliance on digital tools for communication, storage and payments. Money and sensitive information moving among so many players—general contractors, subcontractors, suppliers, a distributed workforce—using a variety of digital platforms and devices makes the construction industry particularly vulnerable.
Since November 2022, a new ransomware group known as Royal has launched attacks on 62 businesses in the United States alone, according to a report from NordLocker, a file encryption software and cloud storage company. “The group has been particularly active against finance and construction firms,” the report says.
Royal has made ransom demands ranging from approximately $1 million to $11 million in Bitcoin worldwide, mostly in the critical infrastructure sector. And a SafetyDetectives study showed construction to be the third most common industry to experience ransomware attacks in 2021 (13.2% of total ransomware attacks in North America). Moreover, the issue of business email compromises (BEC) has gotten bad enough that the FBI put out a warning bulletin in June 2021 specifically directed at the construction industry.
But problems stretch beyond ransomware and stolen data. Cyber criminals are also stealing intellectual property as well as payments from construction businesses through fraudulent wire transfers.
Finding a way in
According to the aforementioned FBI bulletin, one method used by cyber thieves to gain access to construction companies is by collecting information—much of it publicly available online such as company logos and lists of current projects—to create legitimate looking but fraudulent messages. They use these to exploit business relationships, leading to millions of dollars in losses. The emails may ask people to wire money to fake accounts, ask for change orders that add fees or request updates to ACH bank account information.
The FBI’s Internet Crime Complaint Center (IC3) found that BEC schemes increased during COVID-19 as more people began working remotely. IC3 found that cyber criminals were able to compromise an employer or financial director’s email, request that employees participate in virtual meetings and then insert a still picture of a CEO and claim their audio or video wasn’t working properly. Then, according to IC3, “fraudsters would use the virtual meeting platform to instruct employees to initiate wire transfers or use the executives’ compromised email to provide wiring instructions.”
Using a third-party lender or title company to control payments via an escrow account may add a layer of protection, but companies still must be on top of safety protocols. “It’s usually at the point where funds are changing hands that criminals find a way to intervene in a transaction,” said Shirley Wrightsell, construction escrow director with Proper Title in Chicago.
Vigilance and due diligence
A construction escrow account is a type of holding account for the funds being used on a construction project. The account, which is managed by a third party such as a title company or lender, disburses funds to those involved in the project like subcontractors and tradespeople. The escrow manager also will, for example, “collect and scrutinize necessary construction documents and make sure they comply with what’s required to waive the lien rights of a contractor,” Wrightsell said.
There are pros and cons to using an escrow account. A common complaint is that payment is slow. “But payment is guaranteed,” countered Wrightsell. And an escrow account can help a company manage its cash flow. In addition, Wrightsell said, “Using construction escrow services helps keep projects on schedule. If payments are not disbursed accurately to the general contractor, subcontractors and suppliers, claims are often filed, and these claims can quickly derail a construction project.”
When it comes to cybersecurity, however, an escrow account can still be vulnerable to fraud. According to the American Land Title Association, attacks against title companies are increasing. A 2022 ALTA survey showed 46% of respondents reported employees received at least one email a month attempting to change wire or payoff instructions during the closing process.
If you use an escrow account, you have to be diligent about choosing the company that manages it, Wrightsell said. “It’s important for a contractor to understand the title company’s process for delivering payment, what the turnaround is, what paperwork is required in order to expedite the processing of the payment.”
Wrightsell said to look for an escrow manager that has a “three-approval process.” The escrow manager should get all the information from the fund recipient in writing—where the money is to be sent, information about the recipient’s bank and a contact phone number where the escrow manager can contact them after receiving their information. “The title insurance agency should call to verify all the information,” Wrightsell said. “After the title company processes that information, they should make sure everything is accurate before sending it to their accounting department.”
Once the wire transfer is sent, the escrow manager should confirm with the contractor or the general contractor that they actually have the funds in their account.
Wrightsell said that from the moment the title agency orders a transfer, it takes about a half hour until delivery of funds, since the transaction must go through the Federal Reserve. “That is the key time where, if there is a problem, we’re going to know right away that their money isn’t out on the dark web somewhere,” Wrightsell said.
Capture the red flags
Anyone with an email address faces the possibility of malicious online activity. Construction companies as well as their escrow managers should follow digital safety protocols and look for red flags, especially when dealing with account or payment information, Wrightsell said.
Scrutinize email sender and domain names and where an email is coming from. For example, on quick glance you might not catch two “v”s used as a “w” in the name “Brewer” — “Brevver.”
Train employees to spot phishing emails and report concerns immediately.
Double check any ABA routing numbers and account numbers.
Be vigilant for a sudden change. For example, Wrightsell said, “If we make a wire transfer for 10 draw requests to a particular account and we then get an email saying something like, ‘I’m out of the office and want funds to go to a different destination,’ we dig in our heels and confirm all information before we proceed.”
Verify all payment changes and transactions in person or via a known, established phone number. “Do not call any phone numbers listed in an email. Also, do not use a Google search for a company’s phone number as it can lead to a fraudulent, lookalike website,” Wrightsell said.
Watch out for cyber actors impersonating construction companies. These cyber actors register domains that closely resemble the legitimate construction company’s domain such as adding “Inc.” or “Group” or an acronym for the full company name. These spoofed domains are used to create email accounts from which the actors send fraudulent emails. “Owners opting not to use construction escrow services will receive these email requests for updated bank account information and could unknowingly send payment to the fraudster,” Wrightsell said.
Keep close tabs on the construction escrow account. Be aware if new subcontractors are hired midstream that are replacing existing subcontractors. The construction escrow manager needs to be aware of these changes to make sure the new subcontractors are paid instead of former subs.
Be detail oriented. Make sure the amount requested matches the work completed. “Double-check that no mechanic’s liens are on record against the real estate and that sufficient funds are in the escrow account,” Wrightsell said.
Cybercrime is big business for criminals, and it’s not going away. But with proper protocols, procedures and vigilance it may be possible to reduce the number of negative outcomes.