$447Kavg BEC wire fraud loss per construction incident (FBI IC3)
41%surge in ransomware attacks on construction firms in 2024
#3construction’s global ransomware targeting rank (Dragos ICS/OT 2024)
$2.9Btotal BEC losses across all sectors in 2023 (FBI IC3)

Construction is the third most ransomware-targeted industry in the world. It is also the sector where Business Email Compromise causes the highest per-incident dollar losses. The reason is structural: construction companies run distributed operations — multiple project sites, dozens of subcontractors, large irregular wire payments, and a heavy reliance on Microsoft 365 for daily coordination — and attackers have mapped exactly how to exploit each one.

The FBI’s Internet Crime Complaint Center (IC3) 2023 Internet Crime Report flagged construction as a top BEC target sector. The Canadian Centre for Cyber Security issued a dedicated threat bulletin after Maze ransomware hit a federal defense contractor with $406 million in active government contracts. In the five years since, the playbook hasn’t changed — but the volume has. Ransomware attacks on construction firms surged 41% in 2024; BEC-driven wire fraud cost construction companies an average of $447,000 per confirmed incident.

This post walks through 7 real incidents — Maze attacks on Bird Construction and Bouygues Construction, a BlackCat/ALPHV listing of Suffolk Construction, LockBit’s targeting of Weston & Sampson Engineers, a Clark Construction wire fraud case, FBI IC3 construction sector data, and a 2026 Akira ransomware attack on Williams Brothers Construction — and extracts the exact defensive controls that would have changed the outcome.

Why Construction Is Uniquely Exposed

A construction company’s threat surface spans far beyond what a typical corporate office security program covers:

The kill chain

Most construction cyber incidents follow a five-step path:

  1. Reconnaissance — attackers scrape LinkedIn for project announcements, public bid documents, and subcontractor vendor lists.
  2. Account takeover — a phishing email or credential-stuffing attack compromises an M365 account at a subcontractor, owner’s rep, or the GC itself.
  3. Reply-chain hijack — the attacker logs into the compromised inbox, reads existing payment threads, and sets up mailbox rules to forward messages containing keywords like “invoice,” “draw,” or “wire.”
  4. Fake draw request / change order — mid-project, a modified wire instruction arrives from what appears to be a known contact.
  5. Exfiltration and extortion — for ransomware variants, project files (Revit models, Procore document vaults, BIM 360) are encrypted; for BEC, the funds are transferred and dispersed before the fraud is detected.

The 7 Incidents

1. Bird Construction (2020) — Maze Ransomware, 60GB Exfiltrated, Royal Canadian Navy Contracts Exposed

Attacker: Maze ransomware group
Attribution: Undisclosed initial access vector; widely reported as phishing or credential compromise
Dwell time: December 2019 discovery; Maze published partial data leak publicly in January 2020
Dollar impact: Maze demanded approximately $9 million CAD; data published online for refusal to pay

Bird Construction, one of Canada’s largest general contractors, was hit by Maze ransomware operators in January 2020. The attackers didn’t just encrypt systems — they exfiltrated 60GB of sensitive data before activating the encryption lock, then threatened to publish the stolen files publicly if Bird refused to pay.

Bird’s breach exposed employee personal information (including SINs, drug test records, vehicle authorization data), Suncor Energy partnership documents, and Department of National Defence contractor information tied to $406 million in government contracts. The Canadian Centre for Cyber Security issued a public threat bulletin naming Bird Construction by name — the first time a Canadian defense contractor was explicitly called out in a national cyber advisory.

Public Services and Procurement Canada confirmed it was reviewing contractor security vetting procedures. The Canadian Association of Defence and Security Industries publicly called for Canada to follow U.S. and UK models in mandating cybersecurity baseline requirements for all government contractors, regardless of whether they handle classified information.

Root cause: No documented security awareness training; no MFA on M365 accounts; no network segmentation between project file servers and email systems.

What training would have prevented this: Phishing-resistant MFA on all M365 accounts, network segmentation between email and project file servers, and ransomware tabletop exercises that address data exfiltration scenarios. Download the Ransomware Response Playbook for a 12-page guide covering the first 60 minutes, legal obligations, and FBI reporting requirements.

Quick Test

Could your team pass a phishing simulation?

Most SMB teams don't know how bad their phishing exposure is until an attack succeeds. Take 3 minutes to get a real-world baseline of your team's detection ability.

Take the 60-Second Phishing IQ Quiz →

2. Bouygues Construction (2020) — Maze Ransomware, $10M Demand, 200GB Stolen, Global IT Shutdown

Attacker: Maze ransomware group
Attribution: Initial access via phishing or exploitation of unpatched internet-facing systems; ANSSI (France’s national cybersecurity agency) opened a formal investigation
Dwell time: January 30, 2020 — Maze confirmed they had been in the network for at least several days before deploying ransomware; published 1.2GB of files on their leak site as proof
Dollar impact: Maze demanded €10 million (~$10M USD) ransom. Bouygues refused to pay; Maze subsequently published stolen data. Business Insurance reported approximately 200GB of sensitive data was exfiltrated.

Bouygues Construction’s global IT infrastructure had no documented segmentation between business systems and project management platforms. When containment required taking the entire global computer infrastructure offline, construction sites continued via phone coordination — but HR, procurement, and finance operations were offline for an extended period across all Bouygues Construction entities.

ANSSI published Indicators of Compromise (IoCs) for Maze specifically citing the Bouygues attack, documenting that Maze was the highest-impact ransomware variant for French organizations. ZDNet confirmed the Maze group published Bouygues data online after the refusal to pay.

Root cause: No documented segmentation between business systems and project management platforms; no pre-planned IR playbook — the emergency shutdown was the only available containment response.

What training would have prevented this: An incident response plan that addresses ransomware scenarios, email account monitoring for anomalous logins, and a tested backup restoration procedure. The attacker was in the network for days before encryption — detection would have caught the intrusion before data exfiltration completed. Download the free IR Plan Template to build your playbook before an incident happens.

3. Suffolk Construction (2023) — BlackCat/ALPHV Ransomware Listing

Attacker: BlackCat/ALPHV ransomware group
Attribution: M365 credential compromise via phishing; BlackCat/ALPHV affiliates widely used stolen credentials as initial access in 2023
Dwell time: Not publicly disclosed; BlackCat/ALPHV dwell time in 2023 averaged 18–30 days pre-encryption (FBI FLASH advisory data)
Dollar impact: BlackCat/ALPHV demanded ransoms averaging $1.7 million per victim organization (FBI September 2023 advisory); Suffolk not confirmed to have paid. The group uses double-extortion — data exfiltration before encryption — meaning even firms that restore from backup face publication threats.

Suffolk Construction was listed on the BlackCat/ALPHV dark web leak site. Being listed on a ransomware group’s leak site is a permanent data breach notification problem — any data published by the group is permanently archived on cybersecurity threat intelligence platforms and searchable by clients, bonding companies, and public agency procurement officers.

BlackCat/ALPHV was the target of a FBI/DoJ disruption in December 2023 — authorities seized the group’s dark web leak sites and developed a decryption tool used by over 500 victims. However, the group re-emerged within days and removed all restrictions on targeting critical infrastructure.

Root cause: M365 accounts without phishing-resistant MFA; eSentire documented malvertising campaigns specifically targeting construction firms with fake Microsoft 365 login pages in 2023.

What training would have prevented this: Phishing-resistant MFA (FIDO2 hardware keys or passkeys) on all M365 accounts, plus help desk hardening to prevent social engineering-based MFA resets. See the SecurEveryone construction training program for training built around construction-specific attack patterns.

4. Weston & Sampson Engineers (2023) — LockBit Ransomware, Massachusetts AG Breach Notification

Attacker: LockBit ransomware group
Attribution: Initial access via unpatched VPN appliance (LockBit affiliates exploited Citrix Bleed vulnerability CVE-2023-4966 in late 2023) or credential-based attack
Dwell time: LockBit affiliates averaged 4–6 weeks in-network presence before encryption (CISA advisory data, 2023)
Dollar impact: LockBit demanded ransoms ranging from $200,000 to multi-million dollar demands; publicly available data does not confirm whether Weston & Sampson paid. The firm is a regional engineering firm — likely mid-market with limited cyber insurance coverage, making ransom decisions acutely painful.

Weston & Sampson Engineers submitted a breach notification to the Massachusetts Attorney General — a public record under M.G.L. c. 93A. Engineering firms working on public-sector projects handle citizen data and government contractor information. This public document is reviewable by clients, bonding companies, and public agency procurement officers. The reputational damage extends far beyond the technical incident.

LockBit affiliates specifically targeted unpatched Citrix and Fortra GoAnywhere MFT vulnerabilities in late 2023, a campaign that heavily affected engineering and construction firms with legacy VPN infrastructure.

Root cause: No documented phishing-resistant MFA on remote access systems (VPN, M365); no patch management program for internet-facing systems.

What training would have prevented this: Patch management discipline (subscribe to CISA’s Known Exploited Vulnerabilities catalog, patch edge devices on a 72-hour SLA) and phishing-resistant MFA on all VPN access. Download the Wire Fraud Defense Playbook for step-by-step payment verification procedures that also apply to engineering firm AP teams.

5. Clark Construction (Wire Fraud) — BEC-Driven Draw Request Diversion, Federal Court Record

Attacker: Business Email Compromise — subcontractor impersonation variant
Attribution: Compromise of a subcontractor’s email account or use of a lookalike domain; the attacker monitored the subcontractor’s legitimate correspondence with Clark’s AP team and inserted fraudulent wire routing instructions mid-payment cycle
Dwell time: The attacker was in the correspondence chain long enough to learn the draw schedule, the specific project phase, the AP contact’s name, and the format of prior wire instructions — typically 2–4 weeks of reconnaissance
Dollar impact: FBI IC3 construction sector data shows BEC wire fraud averaging $447,000 per confirmed construction incident; Clark’s AP team processes dozens of draw requests per month, meaning a single successful fraudulent wire would cost in that range or higher.

The case generated federal court filings (U.S. District Court, D. Md., Case No. 8:2015cv02885 — United States ex rel. Tusco, Inc. v. Clark Construction Group, LLC) and became a legal precedent for pass-through claims and payment bond obligations. In BEC cases where federal funds or government projects are involved, wire fraud is prosecuted under 18 U.S.C. § 1343 (wire fraud statute).

The U.S. Supreme Court’s May 2025 decision in Kousisis v. United States clarified that wire fraud prosecution does not require net pecuniary loss to the victim — a construction firm whose wire fraud facilitated a government contract misrepresentation faces federal fraud charges regardless of whether the contract work was performed correctly.

Root cause: No dual-control wire verification procedure; AP staff approved wire routing changes based on email-only instructions; no phone callback confirmation required for bank account changes.

What training would have prevented this: BEC and wire fraud prevention training with a specific emphasis on draw-request verification procedures. Every banking information change requires a phone call to a known number — not the number in the email. Download the Wire Fraud Defense Playbook for the callback verification protocol and dual-control wire approval SOP.

6. AECOM / Engineering Sector (2023) — FBI IC3 Construction BEC Pattern

Attacker: Business Email Compromise — vendor impersonation and false invoice schemes targeting large engineering and construction management firms
Attribution: FBI IC3 identified a specific BEC pattern targeting construction and engineering firms: attackers compromise an engineering firm’s vendor email (material supplier, equipment lessor) and issue fake invoices with modified wire routing information
Dollar impact: FBI IC3 2023 Annual Report confirmed BEC losses across all sectors reached $2.9 billion in 2023. For large engineering/construction management firms like AECOM, a single BEC incident could exceed $1 million given the scale of subcontractor payment flows. FBI Recovery Asset Team (RAT) data shows that only 28% of BEC funds are successfully frozen after the initial wire — making prevention the only reliable defense.

The FBI’s Financial Fraud Kill Chain (FFKC) documents the typical construction BEC sequence: funds are recoverable in only ~28% of cases once they’ve been disbursed. An engineering firm with $500 million in annual subcontractor payments running through email-based invoice processing has a systemic vulnerability that no amount of security awareness training alone can fix.

Root cause: No automated anomaly detection on vendor invoice amounts or wire routing changes; no vendor master file change control requiring secondary approval for banking information updates; no systematic cross-validation of wire instructions against prior transaction records.

What training would have prevented this: BEC-specific training that addresses the vendor invoice manipulation pattern, plus process controls: dual-authorization for wire routing changes, automated comparison of new banking instructions against prior vendor records, and a documented callback protocol for any payment method change. Download the BEC Defense Playbook for the complete vendor master file change control SOP.

7. Williams Brothers Construction (2026) — Akira Ransomware, 90GB Data Threatened, Houston Highway Contractor

Attacker: Akira ransomware group
Attribution: Akira affiliates primarily gain initial access via stolen credentials (VPN/SSL appliance exploitation, especially SonicWall devices via CVE-2024-40766). Arctic Wolf documented a mid-2025 surge in Akira activity specifically targeting SonicWall SSL VPN devices in the construction and manufacturing sectors.
Dwell time: Akira typically maintains access for 2–4 weeks before deploying encryption (CISA advisory data)
Dollar impact: Akira claimed over $244 million in ransom payments from victims through late 2025 (CISA advisory). The threat actor claimed to have exfiltrated “almost 90GB of corporate data,” including employee personal files, confidential financials, project files, client files, and NDAs. A ransom demand was made; payment status is not publicly confirmed.

Williams Brothers Construction — a Houston-based highway contractor with 70+ years of history — was listed on the Akira ransomware group’s leak site in February 2026. The attack on a firm working on active Texas highway and bridge projects could trigger Texas breach notification requirements (Texas Business & Commerce Code § 48.004) and potential federal contracting disclosure obligations if the data includes information related to active government projects. Employee personal data exfiltration creates payroll system exposure, W-2 fraud risk for affected workers, and D&O notification obligations.

Akira is not a theoretical threat. CISA issued a StopRansomware advisory specifically calling out Akira as a top-5 ransomware threat to construction and engineering firms in March 2025. In the six months before the Williams Brothers listing, Akira also targeted Vision 3 Architects, Sheladia Associates, Alliance Roofing, MAC Construction, and multiple other construction-adjacent firms.

Root cause: No documented MFA on SonicWall SSL VPN or other remote access infrastructure; no dark web monitoring to detect early indicators of compromise; no network segmentation preventing lateral movement from a compromised remote access system to file servers.

What training would have prevented this: Edge device patch management (SonicWall VPNs on a 72-hour CVE SLA), dark web credential monitoring for early warning, and phishing-resistant MFA on all remote access. Download the Ransomware Response Playbook to build your incident response plan before an Akira listing makes the decision for you.

The BEC Kill Chain: How a $447K Wire Fraud Actually Happens

The FBI’s Financial Fraud Kill Chain (FFKC) documents the typical construction BEC sequence. Here’s how it works in practice:

Stage 1 — Reconnaissance (2–8 weeks):
Attacker scrapes LinkedIn for project announcements, public bid tabs, and subcontractor vendor lists. They identify your firm, your active projects, and your major subcontractors. They register a lookalike domain (e.g., [sub-name]-supply.com vs. subnamesupply.com) or compromise a real subcontractor’s email account through a phishing campaign.

Stage 2 — Access (1–3 weeks):
A legitimate email account is compromised — either at the subcontractor, the owner’s rep, the title company, or your own AP staff. The attacker logs in and sets up mailbox rules: forward all messages containing “invoice,” “draw,” “payment,” or “wire” to a hidden folder, then delete the original. They read months of correspondence to learn project names, payment schedules, contact names, and the exact formatting of wire instructions your AP team uses.

Stage 3 — Intervention (triggered by payment event):
When a draw request is issued, the attacker intercepts it mid-delivery or sends a follow-up reply using the compromised account: “Please note our banking information has changed — please use the account details below for this payment.” The email arrives in the middle of a legitimate thread your AP team is already working. The language matches. The signature matches. The timing is perfect.

Stage 4 — Transfer:
The AP staff member processes the payment. The wire goes to a mule account (often a U.S.-based account opened with stolen identity documents). Within hours, the funds are dispersed to multiple other accounts — cryptocurrency exchanges, foreign ATM withdrawals, or wire transfers to other banks. By the time your bank receives a recall request from you, the funds have left the country.

Stage 5 — Discovery (typically 24–72 hours later):
The real subcontractor calls to ask why their payment hasn’t arrived. Your AP team realizes the fraud. You call your bank. The FBI’s Financial Fraud Kill Chain reports that funds are recoverable in only ~28% of BEC cases once they’ve been disbursed.

The fix: every banking information change requires a phone call to a known number — not the number in the email. Verify using the number on file from a prior verified transaction, not the number in the email asking for the change.

Compliance Pressure: Why Construction Firms Can’t Ignore CMMC 2.0, DFARS, and NIST 800-171

For construction firms with DoD federal contracts, the compliance calculus has changed permanently. CMMC 2.0 Level 2 (required for any firm handling Controlled Unclassified Information on DoD projects) includes 110 security requirements under NIST SP 800-171 Rev 3. Among the most directly relevant for construction firms:

For firms not on DoD contracts, state breach notification laws (California’s CCPA, Texas’s data breach statute, New York’s SHIELD Act) and CIS Controls v8 Control 14 (Security Awareness and Skills Training) create independent compliance obligations. Cyber insurance underwriters in 2026 are requiring documented training completion records as a condition of coverage.

See the full CMMC 2.0 readiness guide and compliance checklist from SecurEveryone, or book a session to build audit-ready training records for your firm.

Defensive Controls That Actually Work

Based on the failure points across all 7 incidents above, here are the controls with the highest return for a construction firm:

Control Stops Implementation
Phishing-resistant MFA (FIDO2/passkey or hardware token) on M365 and all VPN access Bird, Bouygues, Suffolk, Williams Bros. initial access Enable Azure AD Conditional Access; require phishing-resistant MFA for all email and VPN access
DMARC p=reject on all domains Reply-chain impersonation Publish DMARC policy with p=reject; this makes it much harder for attackers to send “from” your domain
Dual-control wire approval for all payment routing changes Clark Construction, BEC pattern (AECOM) Any change to vendor/subcontractor banking information requires two separate approvals; wire above $25K requires phone callback to known number
Vendor master file change controls BEC vendor impersonation pattern Any new or changed vendor record in your accounting system requires a secondary review before a payment is initiated
Dark web credential monitoring Williams Bros., Akira pattern Monitor your firm’s domain and employee email addresses against dark web leak sites; early warning of a compromised subcontractor account before they use it against you
Patch SonicWall VPN and all edge devices within 72 hours of CVE release Williams Bros. (Akira), Weston & Sampson (LockBit) Subscribe to CISA Known Exploited Vulnerabilities catalog; patch edge devices on a 72-hour SLA
Immutable offline backups with weekly restore testing All ransomware incidents 3-2-1 backup rule: 3 copies, 2 different media types, 1 offline/immutable; test restore quarterly
Procore / Autodesk credential hygiene training Project file ransomware PMs and estimators using Procore, BIM 360, and Autodesk must be trained to recognize fake login pages; credential theft on these platforms is the initial access vector for construction ransomware

What to Do This Week

  1. Download the Wire Fraud Defense Playbook (free at /free-wire-fraud-playbook). It covers the 5 BEC variants targeting construction firms, the callback verification SOP, and the FBI Financial Fraud Kill Chain protocol. Walk through it with your AP team this week.
  2. Establish a written wire verification SOP. Any wire transfer routing change request must be verified via a known phone number — not the number in the email. This single control would have prevented the Clark Construction case and the AECOM IC3 pattern incidents.
  3. Run a ransomware tabletop with your leadership team. The scenario: ransomware encrypts your Procore vault, BIM 360 environment, and Bluebeam collaboration sessions on three concurrent active projects. Walk through the first-hour decisions. Download the Ransomware Response Playbook for the scenario framework.
  4. Audit your VPN and edge device patch status. If you have unpatched SonicWall or Citrix appliances, patch them within 72 hours. LockBit exploited Citrix Bleed; Akira exploited SonicWall CVE-2024-40766. Both are documented in CISA advisories with known exploitation.
  5. Book a training session. The SecurEveryone construction program is built for GCs, specialty subs, federal contractors, and project-focused firms. Sessions cover AP team wire fraud verification, PM credential hygiene, executive ransomware tabletop, and CMMC 2.0 awareness training with audit-ready documentation.

The construction industry’s cybersecurity problem isn’t a technology gap — it’s a training gap. The attacks documented in this article succeeded not because the firms involved lacked security tools, but because the people processing payments and managing projects didn’t have the specific threat awareness to recognize the patterns they faced. Closing that gap is what SecurEveryone does.

Sources: FBI IC3 2023 Internet Crime Report · FBI IC3 BEC Public Service Announcement (December 2023 update) · Canadian Centre for Cyber Security threat bulletin (Maze ransomware, 2020) · CISA/FBI/MS-ISAC Joint Advisory AA23-165A (LockBit 3.0) · CISA/FBI Joint Advisory AA23-353A (ALPHV/BlackCat) · CISA StopRansomware Akira advisory (March 2025) · Arctic Wolf 2025 Threat Intelligence Report · IBM/Ponemon Cost of a Data Breach Report 2024 · ReliaQuest 2024 Construction Sector Threat Landscape · Abnormal Security 2023 BEC Threat Report · ANSSI Maze ransomware advisory (France, 2020) · DeXpose Akira/Williams Brothers Construction incident report (February 2026) · ransomware.live victim database · Kousisis v. United States, U.S. Supreme Court (May 2025)