Cyberattacks and Construction – A Hard Hit Industry 

April, 2023 - Alexander L. Turner

When you hear the word cyberattack you think of attacks on banks, large box stores, or medical facilities. You should add the construction industry to that list because it is the third most common target for cyberattacks. These types of attacks are only increasing because bad actors have created processes that have streamlined how they attack businesses. They like to attack the construction industry because large sums of money are being transferred in and out of bank accounts via wire transfers. Recently, we have seen companies experience bad actors squatting on business email accounts waiting to redirect wire transfers or direct deposits. The bad actors will use a phishing attack or spoofing attack to trick an employee to provide them with information that allows the bad actors to have administrative access to the company’s email system. With this administrative access, the bad actors will have emails redirected to them and they will wait for information related to a wire transfer or direct deposit to be emailed. The bad actor will then hijack that payment by emailing the sender with new wiring information from a legitimate account at the company, erase the email from the legitimate account holder’s outbox, and have the payment directed to a different account. Only later, when the business sees that payment for services have not been received, or an employee sees that a paycheck has not been deposited is the breach discovered. However, by that time, it is too late, and the bad actors are already gone with the funds. 
To prevent being a victim of a cyberattack, cybersecurity has to be made part of a company’s culture. A robust training and updating of policies and procedures is needed to combat this type of attack. Employees need improved training on the importance of cybersecurity, how to protect the company’s system from attack, and how to recognize an attack and report it. The company needs to invest in updating software and training, and be aware of the latest methods bad actors are using to infiltrate computer systems and how to prevent an attack. Finally, a company needs to do an audit of all of the data it is holding. The company needs to know what data it has, what data it needs to retain, what data it can get rid of, and who has access to all of that data. Holding a lot of data, especially data you no longer need, only increases the risk and liability to the company in the event of a data breach, so a business should establish a policy to periodically delete data the company no longer needs to hold. Additionally, not every employee needs access to all the data your company holds, so a company should limit employee access to only the data the employee needs to access in order to accomplish his or her job. If you would like a review of your policies and procedures, or if you need training for your workforce in cybersecurity, please contact a member of Spilman’s Cybersecurity Practice Group.


Link to article


WSG Member: Please login to add your comment.