Cyber Security for Builders and Construction Companies: Protecting Your Business on and off Site

The construction industry might seem like an unlikely cyber security target — but Australian builders, subcontractors, and project managers are being hit hard. Invoice fraud alone costs the industry millions each year, and ransomware attacks that lock access to project plans, contracts, and scheduling software can bring a site to a standstill. If you're running a building business, you need to know what you're up against and what to do about it.

Why Construction Businesses Are in the Crosshairs

Criminals look for opportunity, and construction offers plenty of it:

• High invoice volumes: A busy builder deals with dozens of subcontractor invoices every week. That volume makes it easy for a fake invoice to slip through.
• Large transaction values: Individual invoices for materials, plant hire, and subcontractor work can run into tens or hundreds of thousands of dollars. One successful fraud can be very profitable.
• Complex supply chains: You work with many subcontractors, some of them one-off or project-specific relationships — making it harder to spot an impersonator.
• Limited IT investment: Many small and medium building businesses run lean, without dedicated IT support or formal cyber security measures.

The Threats Most Likely to Hit Your Business

Invoice Fraud and Payment Redirection

This is the number one threat in construction. The scam works like this: an attacker compromises either your email or a subcontractor's email and monitors the correspondence. When the time is right — often just before a payment is due — they send you a message that looks like it's from the subcontractor, saying their bank account details have changed. You update your records. You pay the next invoice. The money goes to a criminal.

Sometimes attackers don't even need to compromise an email account — they just spoof the sender address convincingly enough to fool a busy accounts person who isn't looking closely.

Fake Variation Claims via Email Impersonation

A variation on the same theme: fraudulent emails claiming additional costs or change orders, sent to a project manager or owner who then approves payment. In a busy project environment with lots of email back-and-forth, these can be hard to spot.

Ransomware Locking Project Files

If your business uses Procore, Aconex, or Buildxact for project management, or Xero or MYOB for accounting, a ransomware attack can lock you out of your files completely. Imagine losing access to your project plans, contracts, and schedules in the middle of a build. Ransomware typically spreads through a phishing email that someone on your team clicks on.

Phishing via DocuSign and Contract Emails

Construction involves a lot of contracts and signed documents. Attackers exploit this by sending fake DocuSign emails or contract review requests that actually lead to malicious websites designed to steal your login credentials. Train your team to check the sender address carefully before clicking any link in a contract or document email.

The Controls That Matter Most

Mandatory Phone Verification for Any Bank Account Change — Make It Policy

This is the single most important thing you can do to prevent invoice fraud. Before you process any payment to a new or changed bank account, call the person or business on a phone number from your existing records — not one provided in the email. Don't make exceptions. Don't let anyone talk their way around it with urgency. Write it up as a formal policy and make sure everyone in your accounts team knows it applies every single time, without exception.

This one control defeats the vast majority of payment redirection scams.

MFA on Accounting and Project Management Software

Enable multi-factor authentication on Xero, MYOB, Procore, Buildxact, and SimPRO. If an attacker steals a password — which happens through phishing, data breaches, or reused passwords — MFA stops them from getting in. It takes minutes to set up and is available on all major platforms.

Train Staff to Be Suspicious of Invoice Emails

Your accounts team and project managers are on the front line. They need to know that invoice fraud is common, that emails can be spoofed, and that it's always okay — expected, in fact — to pick up the phone and verify before processing a payment. Create a culture where checking is normal, not inconvenient.

Be especially vigilant about invoices from new subcontractors or those with changed details. If something feels off, it probably is.

Secure Document Sharing for Contracts

Rather than sending contracts and variations as plain email attachments, use a secure sharing platform — a dedicated portal in Procore or Aconex, or a service like DocuSign with proper identity verification. This reduces the risk of contract-related phishing and provides a clear audit trail.

Keep Software Updated

Outdated software — on laptops, tablets, and on-site computers — is a common entry point for malware. Make sure operating systems and applications, especially accounting and project management tools, are kept up to date. Enable automatic updates where possible.

A Practical Starting Point

You don't need to do everything at once. Start with the two controls that will have the biggest impact: a written policy requiring a callback before processing any bank account change, and MFA on your accounting software. These two steps can prevent the most common and costly attacks against construction businesses. Then build from there.

If you've already been targeted or want to assess your exposure, the Australian Cyber Security Centre (cyber.gov.au) has free resources for small businesses, and your industry association may also offer guidance.