Quick Answer (for busy CFOs)
- Attackers get into email accounts (even with MFA)
- They watch invoices and payment conversations
- They change banking details at the right moment
- The money is wired—and usually gone for good
This isn’t a cybersecurity problem. It’s a cash-loss problem.
What Is Construction Payment Fraud?
Construction payment fraud happens when attackers intercept or impersonate email communications and redirect legitimate payments to fraudulent bank accounts.
In most cases, this is driven by business email compromise (BEC)—where criminals gain access to a real email account and quietly monitor activity.
Unlike ransomware:
- Nothing breaks
- No alarms go off
- The project keeps moving
But the money goes somewhere else.
Why This Is Hitting Houston Construction Companies Hard
At Preactive IT Solutions, we work with construction firms across Houston, and we’re seeing this more and more.
Construction companies are a perfect target because:
1. Large, frequent payments
- Progress payments
- Subcontractor invoices
- Supplier payments
- Escrow transfers
These can range from tens of thousands to millions.
2. Fast-moving environments
Payments are often:
- Time-sensitive
- Approved quickly
- Based on email communication
That speed creates opportunity.
3. Complex vendor relationships
With dozens (or hundreds) of vendors:
- Bank changes aren’t unusual
- New instructions happen regularly
- Accounting teams process high volume
That’s exactly what attackers exploit.
A Real Example: How $400,000 Disappeared
Here’s a real-world scenario we’ve seen in Houston:
A subcontractor had their accounting email account compromised.
- They had MFA in place
- But the attackers still got in
- No one noticed anything unusual
The attackers then:
- Monitored invoice activity
- Waited for a large payment
- Sent updated banking instructions to the general contractor
The general contractor:
- Received what looked like a legitimate email – because it really was from the subcontractor’s email account
- Updated the payment details
- Wired $400,000 to the attacker
By the time anyone realized:
The money was gone.
Where the breakdown happened
This wasn’t just a “hack.”
It was a failure on both sides:
- Subcontractor: Lacked deeper identity-level protection (beyond MFA)
- General contractor: Didn’t enforce strict payment verification procedures
That combination is exactly what attackers count on.
How Construction Payment Fraud Actually Happens
Most attacks follow the same pattern:
1. Account access
Attackers gain access through:
- Phishing
- Stolen credentials
- Session hijacking
- MFA bypass techniques
2. Silent observation
They don’t act immediately.
They:
- Watch email threads
- Learn vendor relationships
- Study invoice timing
- Understand approval workflows
They’re not guessing—they’re learning your business.
3. Perfect timing
When a payment is about to go out:
They insert a message like:
“We’ve updated our banking information. Please send this payment to the new account.”
Because it comes from a real or familiar thread:
- It looks legitimate
- It feels routine
4. Funds transfer
The payment is sent.
Then:
- It’s quickly moved across accounts
- Often internationally
- Recovery becomes extremely difficult
By the time you notice, it’s too late.
“We Have MFA—Aren’t We Protected?”
This is one of the most dangerous assumptions we see.
Multi-factor authentication (MFA) is important—but it is no longer enough.
Attackers are now using:
- Session token theft
- Adversary-in-the-middle attacks
- Push fatigue techniques
- Compromised trusted devices
That means:
- They don’t always need your password
- They don’t always trigger alerts
MFA slows them down—but it doesn’t stop them anymore.
How Much Money Are Companies Losing?
This is where it becomes real.
- Single incidents can be $50,000 to $500,000+
- In some cases, even higher
- Recovery rates are extremely low
And the hidden costs:
- Legal disputes
- Insurance complications
- Damaged vendor relationships
- Reputation impact
The job gets built—but the money is gone.
How to Prevent Construction Payment Fraud (Checklist)
If you’re a CFO or owner, this is where to focus:
1. Enforce payment verification policies
- Never accept banking changes via email alone
- Require phone verification using known numbers
- Implement dual approval for large transfers – Your bank can set this up.
2. Lock down identity (beyond MFA)
- Monitor for unusual login behavior
- Detect impossible travel or abnormal activity
- Identify suspicious authentication patterns
3. Protect email conversations
- Monitor for mailbox compromise
- Watch for forwarding rules or unusual behavior
- Alert on suspicious activity inside accounts
4. Train accounting teams
They should flag:
- Urgent payment requests
- Banking changes
- Slight wording changes in emails
- “Something feels off” situations
5. Align vendors and subcontractors
- Require verification procedures on both sides
- Communicate expectations clearly
- Remove reliance on email-only instructions
Why This Is a Leadership Issue—Not an IT Issue
This isn’t about firewalls or antivirus.
This is about:
- Cash flow
- Risk management
- Internal controls
One successful attack can:
- Disrupt projects
- Create financial loss
- Damage relationships
If you’re responsible for financial oversight, this is your problem—not just IT’s.
Final Thought
Construction payment fraud is growing because attackers understand:
- How your projects work
- How your invoices move
- How your payments get approved
The question isn’t whether this is happening.
It’s whether your organization will catch it before the money leaves.
If You Want a Second Set of Eyes
At Preactive IT Solutions, we work with construction companies across Houston to help identify risks like this—both on the security side and the process side.
If you ever want a second opinion on how your team handles payments or where gaps might exist, we’re always happy to take a look.
