Construction runs on email. Quotes, variations, applications for payment and final accounts all move by email, often between firms that have never met in person. That makes the sector a favourite for payment redirection fraud, and most firms have nothing in place to stop it.
A criminal watches email between you and a client or subcontractor, then just before a payment is due sends a message asking for the money to go to a new account. The email looks like it came from you. If your domain has no DMARC, nothing flags it as fake.
Scammers submit forged applications or invoices using your company name, hoping accounts pays before anyone checks. Main contractors processing dozens of invoices a month are the target.
Your merchants and subbies receive emails that appear to be from you, chasing early payment or changing bank details. The damage lands on your relationships, not only your bank balance.
A compromised inbox hands criminals programme dates, contract values and contact lists, everything they need to make the next fraud more convincing.
A groundworks subcontractor emails a £48,000 application for payment. Two days later the main contractor gets a follow-up from the same name and address: "we have changed bank, please use the new details." It was a criminal sitting on a compromised mailbox in the chain. The money went out and the bank recovered none of it. Neither firm had DMARC set to reject, so the fake emails went straight through.
Yes. The portal handles the application, but plenty of fraud happens in the email around it: queries, chasing, and "change of bank" messages. If your own domain can be spoofed, criminals can impersonate you to everyone you email, portal or not.
Broadband and email security are different jobs. Email authentication lives in your domain DNS records and is commonly missed. Run the free check to see what is actually set, then hand the result to whoever manages your IT.
It can. If a subcontractor mailbox is compromised, criminals use it to target you. You cannot fix their setup, but locking down your own domain and verifying bank changes by phone protects you either way.
Run the free check above to see whether your domain can be impersonated, and get a plain-English list your IT team can action.