Construction runs on email. Quotes, variations, applications for payment and final accounts all move by email, often between firms that have never met in person. That makes the sector a favourite for payment redirection fraud, and most firms have nothing in place to stop it.

How Construction Firms get targeted

Payment redirection

A criminal watches email between you and a client or subcontractor, then just before a payment is due sends a message asking for the money to go to a new account. The email looks like it came from you. If your domain has no DMARC, nothing flags it as fake.

Fake applications for payment

Scammers submit forged applications or invoices using your company name, hoping accounts pays before anyone checks. Main contractors processing dozens of invoices a month are the target.

Supply chain impersonation

Your merchants and subbies receive emails that appear to be from you, chasing early payment or changing bank details. The damage lands on your relationships, not only your bank balance.

Project data harvesting

A compromised inbox hands criminals programme dates, contract values and contact lists, everything they need to make the next fraud more convincing.

What this looks like in practice

A groundworks subcontractor emails a £48,000 application for payment. Two days later the main contractor gets a follow-up from the same name and address: "we have changed bank, please use the new details." It was a criminal sitting on a compromised mailbox in the chain. The money went out and the bank recovered none of it. Neither firm had DMARC set to reject, so the fake emails went straight through.

Your quick checklist

  • DMARC set to reject on every domain you invoice from
  • SPF listing your real senders (Microsoft 365, accounts software, CRM)
  • MFA on all mailboxes, especially accounts and directors
  • A written rule that bank-detail changes are verified by phone to a known number
  • Phishing awareness refreshed in the last 12 months

Questions we get asked

We use a main contractor portal for payments. Do we still need this?

Yes. The portal handles the application, but plenty of fraud happens in the email around it: queries, chasing, and "change of bank" messages. If your own domain can be spoofed, criminals can impersonate you to everyone you email, portal or not.

Our IT is handled by the company that does our site broadband. Are we covered?

Broadband and email security are different jobs. Email authentication lives in your domain DNS records and is commonly missed. Run the free check to see what is actually set, then hand the result to whoever manages your IT.

We work with a lot of self-employed subbies. Does their setup affect us?

It can. If a subcontractor mailbox is compromised, criminals use it to target you. You cannot fix their setup, but locking down your own domain and verifying bank changes by phone protects you either way.

Run the free check above to see whether your domain can be impersonated, and get a plain-English list your IT team can action.