“To err is human. To really foul things up requires a computer.” – Paul R. Ehrlich.
That line rings true when a single hacked email chain can cause hundreds of thousands of dollars to vanish overseas. And construction companies—because of their reliance on high-value wire transfers and multiple layers of contractors, owners, and vendors—have become a prime target.
Here’s how it usually plays out: a contractor’s email account is compromised through a phishing attack or data breach. The fraudster, posing as the contractor, then sends a legitimate-looking message to the project owner instructing them to “redirect” payment to a new bank account. Because construction payments often run into six or seven figures, a single successful scheme can be devastating. These scams are particularly effective because the emails appear authentic, often arriving mid-project and mimicking prior correspondence.
The statistics bear out the scale of the threat. Between August 2023 and July 2024, nearly 500 construction organizations were listed on data-leak websites, a jump of more than 30% from the prior year. Business Email Compromise scams tied to construction resulted in over $1.2 billion in losses during 2023 alone. And in the residential sector, wire fraud losses have ballooned from $9 million a decade ago to nearly half a billion dollars annually.
When a breach or fraudulent transfer is suspected, speed is critical. Companies should immediately halt pending transfers, disconnect compromised devices, and alert their IT or cybersecurity team. Insurers and affected parties must be notified, and the incident should be reported to the FBI’s Internet Crime Complaint Center. In some cases, acting within hours can mean the difference between recovery and permanent loss.
Insurance coverage is another important piece of the puzzle. Many clients assume their commercial general liability policy protects them, only to discover cyber fraud is excluded. Crime policies may help, but often with narrow limits. The more reliable solution is a standalone cyber liability policy or an endorsement that specifically covers funds transfer fraud. A conversation with a broker who understands the construction sector is essential.
One of the simplest but most effective defenses is clear contract language. We often recommend a clause requiring written notice and verbal confirmation before any change in payment method is valid. For example:
“No change in the method of payment or in wire transfer instructions shall be valid or binding on either party unless (i) such change is delivered in writing on company letterhead or by secure electronic transmission, (ii) the receiving party verifies the change through verbal confirmation with an authorized representative of the other party at a telephone number previously designated in this Agreement, and (iii) both steps are completed prior to any transfer of funds. Owner acknowledges and agrees that Contractor shall not be responsible for, and Owner shall bear the risk of, any loss, delay, or misdirected payment resulting from failure to comply with this procedure.”
Our firm has handled a growing number of disputes in this space, from recovering misdirected funds to negotiating insurance coverage to tightening clients’ contract terms. The lesson is consistent: while no company can completely eliminate the risk, firms that prepare—through insurance, contracts, and clear internal procedures—are far better positioned when the inevitable attempted fraud arrives.