Phishing Attacks in the Construction Industry

December 12, 2017 by Infosec


Many who run construction companies are not fully aware of the dangers presented to their business by hackers and phishers. Often, the companies feel that they are not a primary target, based on the nature of their business. They do not know why a hacker might want to target them. However, construction companies tend to have a lot of data on their clients and customers, as well as their suppliers. This information is stored on computers. Often, this is sensitive information. Phishers are looking for this type of information, which they can steal.

Many companies in this field have already been targeted and have had to deal with the aftermath. In 2016, Turner Construction was the target of a specific type of phishing scam called spear phishing. There was a fraudulent email account set up and one of the employees sent tax information on employees – current and former employees – to the account. This information included the names, tax information, states where the employees worked, and their Social Security Numbers. All of the employees who were a part of the company in 2015 were affected by this breach.

Plenty of other companies in the construction industry have fallen for these types of scams in recent years. These include Trinity Solar, Central Concrete Supply, and Century Fence, to name some of the most prominent. Plenty of companies in other industries are affected every year, as well.

Why Phish the Construction Industry?

Phishers look to gain access to information in the company, such as who you are doing business with, the projections of your company, and other information that you do not want to have in the wrong hands. Consider some of the types of information that you might have on hand – architectural drawings, specifications, proprietary information and assets, IP, and your accounts are all fair game to the phishers out there.

Why are phishers so intent on attacking the construction industry? One of the biggest reasons is the fact that many in the field do not see it coming. They think the industry is safe or that their company is not large enough to gain the attention of hackers, so they do not take any preventative measure to keep themselves safe.

In addition, many people simply aren’t knowledgeable about phishing and are unsure of how it works. This includes those who are working in the construction industry. Therefore, it becomes easier to make them believe they are getting a legitimate email, and they divulge secure information without realizing the problem.

How Are Construction Companies Phished?

Construction companies are phished in much the same manner as other companies. The most common way of targeting the company is to send emails to those who are employed there. The phisher might send out some random emails in the company to see if anyone bites, or they might send it only to certain people in the company, such as executives. The latter is called spear phishing, which caused the problems at Turner Construction, mentioned earlier.

A well-placed, realistic-looking request from SalesForce could help teach your sales manager to look closely before clicking on suspicious links

The emails that are sent often appear to be from someone who works in the same company, or with a company or organization that they often do business with. It might even appear to be an official email from a government organization. The emails often state that there is a problem with an account, or that certain information is needed, and they provide a link that can be easily clicked to “solve the problem”. The email recipient might provide the information needed, or the phisher could install malicious code, which could damage the system or allow them access to it.

Three Strategies for Preventing Phishing in the Construction Industry

Education and Training

Because not everyone understands what phishing is, the first step to prevent phishing is to educate those who are working at the company. They need to have a good understanding of how to recognize phishing scams when they see them. With the right training, it will help to reduce the possibility of becoming a victim to one of these scams. However, there needs to be more than just education.

SecurityIQ’s AwareEd modules are designed to bring even the most tech-phobic member of your team up to speed and help them spot scams in their inboxes

Testing and Evaluation

Once they have been educated on phishing, the employees also need to be tested occasionally. With InfoSec, you can run a phishing testing campaign with the employees at your construction company. Create emails that are similar those used by phishers and then test them on the employees. Which of the employees clicked on the links? This can let you know who needs to have some additional training. InfoSec offers a range of templates that you can use, or you can create your own emails.


While it is important to know what to expect when looking for emails that could be phishing scams, your employees also need to know what to do when they see them. Make sure you have procedures in places that will instruct the employees on who they should contact and how they should handle the phishing emails. In addition to reporting to those in the company, it is also important to report them to the law enforcement community.

While it is likely that phishing is going to continue being a problem for some time, utilizing these basic strategies and working with InfoSec can help to keep your construction business safer.


Phishing continues to be a problem in the construction industry, and it is not going to end soon. Companies need to take the advice above to help shore up their safety from these sorts of attacks. It can also help to work with a professional company like InfoSec, which has been working in this field since 1998. The company offers a range of tutorials, training, and tools that staff, including the IT department, can utilize in an effort to eliminate phishing and other types of cyberattacks aimed at your business.

It only takes a few minutes to get started and to set up an account, and it can be one of the best things you do for your business to keep it safe.


Posted: December 12, 2017
View Profile