Australia’s construction sector has become a focal point for cybercriminals deploying Business Email Compromise (BEC) scams, according to recent findings from national and state law enforcement agencies.
The Australian Federal Police (AFP) – working alongside state police forces – has observed a marked escalation in these attacks, which are resulting in significant financial losses for businesses across the country.
Assistant Commissioner Richard Chin of the AFP’s Cyber Command highlighted the sector’s vulnerability, citing the prevalence of high-value transactions and intricate subcontracting arrangements as key risk factors.
“The construction sector, with its high-value transactions and complex subcontracting chains, has become an attractive target for organised cybercrime groups operating both domestically and offshore,” he said.
BEC scams typically involve criminals gaining access to business email accounts or convincingly impersonating company representatives.
Attackers then manipulate payment processes by sending fraudulent invoices or altering bank details on legitimate payment requests.
These methods often exploit the trust established between contractors, suppliers, and clients, making detection challenging until after funds have been transferred.
The construction industry is particularly susceptible due to frequent invoicing, large payment sums, and, in many cases, limited cybersecurity resources – especially among smaller operators.
Criminals use social engineering tactics, closely mimicking email styles and referencing prior legitimate communications to increase credibility.
In addition to social engineering, cybercriminals are employing malware that can infiltrate business systems when users interact with malicious links or attachments.
This software can quietly harvest login credentials, monitor email exchanges, and set up automated rules to intercept or redirect communications related to payments.
By the time a fraudulent transaction is discovered, funds are often dispersed through multiple international accounts, complicating recovery efforts.
Data from the National Anti-Scams Centre indicates that BEC scams cost Australian businesses over $152 million in 2024, a 66% increase from the previous year.
These scams now represent a significant portion of reported cybercrime incidents, with the construction sector among the most affected.
In New South Wales, a construction firm lost $41,800 after acting on a fake invoice, but swift reporting enabled authorities to recover the funds.
A South Australian conveyancing business saw a client nearly lose $338,000 in a similar scam, with intervention from law enforcement preventing the loss.
In Tasmania, a homeowner was defrauded of $120,000 after scammers intercepted email exchanges with a builder and issued a counterfeit invoice. Delayed reporting meant the money could not be retrieved.
In Queensland, an organisation lost over $1 million after scammers impersonated a construction company, demonstrating extensive knowledge of the business relationship. Some funds were recovered, but the incident underscored the international reach of these operations.
Law enforcement officials urge businesses to adopt robust verification procedures for payment requests.
“No matter how legitimate a request may appear, always confirm payment instructions through a secondary communication channel, such as a trusted contact you’ve previously engaged with. Cybercrime prevention is a shared responsibility, and even small steps can stop significant financial losses,” Chin said.
Recommended measures include:
To address the growing threat, the AFP established Operation Dolos in 2020, bringing together federal, state, and territory agencies, as well as financial sector partners.
This multiagency taskforce focuses on disrupting cybercriminal networks and recovering stolen assets where possible.
Additionally, the Joint Policing Cybercrime Coordination Centre (JPC3) has launched the ClickFit campaign, which aims to educate businesses and individuals on recognising scam tactics and adopting safer online behaviours.
The campaign encourages regular password updates, the use of multi-factor authentication, and a cautious approach to digital communications.
