)
The construction sector has become a key target for cybercriminals who are weaponising vulnerabilities in the sector to steal millions of dollars through fake emails, according to the Australian Federal Police.
The AFP has revealed it is tracking a “concerning rise” in business email compromise (BEC) scams across the industry where cybercriminals impersonate a business or its employees via email to deceive victims into redirecting legitimate payments to fraudulent accounts.
“The construction sector, with its high-value transactions and complex subcontracting chains, has become an attractive target for organised cybercrime groups operating both domestically and offshore,” says Richard Chin, the AFP’s assistant commissioner of Cyber Command.
“Unfortunately, victims often don’t realise they’ve been defrauded until it’s too late and the funds have already been moved through multiple international accounts.”
Scammers stole more than $152.6 million from Australians using BEC attacks in 2024. This was up 66 per cent on 2023, when $91.6 million in losses were reported, according to the Targeting Scams report by the National Anti-Scams Centre.
The AFP says this puts BEC scams among the top three self-reported cybercrimes for business in Australia, accounting for 13 per cent of all reports according to data from ReportCyber.
The AFP says the construction industry is a prime BEC target due to its high-value transactions, frequent invoicing and often limited cybersecurity resources – especially among small, family-run businesses.
These businesses typically lack dedicated finance teams and are time-poor, making them vulnerable to sophisticated scams that exploit trust and urgency.
“We’re all busy and it’s easy to rush through tasks, but when it comes to payments, taking a moment to stop and verify can be the difference between protecting your hard-earned cash and becoming a victim to cybercrime,” says Chin.
“No matter how legitimate a request may appear, always confirm payment instructions through a secondary communication channel, such as a trusted contact you’ve previously engaged with.”
The AFP says BEC attacks use advanced social engineering, real-time surveillance and psychological manipulation to bypass even cautious targets by mimicking tone, formatting and internal processes with “alarming precision”.
Sometimes they even reference previous legitimate communications which criminals may have intercepted.
Cybercriminals are also using sophisticated malware to carry out BEC scams, usually accessed when someone in the business clicks a malicious link or opens a fake attachment.
The malware runs quietly in the background, often without triggering antivirus alerts, to capture login details for email and banking systems, giving criminals access to real business accounts.
“Once inside, criminals monitor email conversations and set up hidden rules that automatically forward or delete messages containing keywords such as invoice, purchase, or payment – helping them intercept financial communications,” says the AFP.
“Using real email accounts, which are often spoofed to replicate the legitimate account, they send convincing invoices with fake bank details, deceiving businesses into sending money to criminal-controlled accounts.
“These viruses are designed to avoid detection and can stay active for weeks or months, allowing criminals to plan and execute multiple attacks.”
The AFP says a conveyancing firm in South Australia was targeted by BEC scam when a client overseas who was settling a property received a fraudulent invoice for $338,000 after the conveyancing firm's email was compromised.
The AFP’s Operation Dolos, acting on information from international partners, intercepted the payment and recovered the full amount for the victim.
A Tasmanian woman had $120,000 stolen after scammers intercepted her email correspondence with a construction company that she had hired to renovate her home.
Using a spoofed email address that closely mimicked the legitimate business, the criminals claimed the company had updated its banking details and sent a new invoice.
The invoice was an exact replica of the original, except the payment details had been replaced with the scammers’ account. Due to a delay in reporting, the AFP says the money was not recoverable.
Chin says cybercrime prevention is a “shared responsibility” where small steps can prevent significant financial losses.
“The AFP is working closely with industry partners, state, territory and international law enforcement, and financial institutions to disrupt these criminal syndicates,” he says.
“Through initiatives such as Operation Dolos, we are actively identifying offenders and recovering stolen funds where possible.”
The AFP established the multiagency taskforce Operation Dolos in January 2020 to target the growing threat of BEC.
It comprises the Joint Policing Cybercrime Coordination Centre (JPC3), state and territory police, Australian Criminal Intelligence Commission, Australia Cyber Security Centre, AUSTRAC and the financial sector.
JPC3 has launched a cybercrime awareness campaign, known as ClickFit, to provide warning signs of scams and offer a guide for Australians to protect themselves online.
)
