Wire fraud cost construction companies an average of $447,000 per incident in 2023. Subcontractor change-of-banking emails, spoofed Procore notifications, and project file ransomware are hitting GCs and specialty subs daily — and most teams have never been trained to recognize them. Live expert training built for the construction threat landscape. From $150.
Construction is uniquely exposed to wire fraud for one reason: your payment cycle depends on trust-based, email-anchored communication. Subcontractors send banking changes by email. Project managers approve draw requests by email. GCs forward pay app instructions by email. Every step of the payment chain runs through an email thread — and every email thread is a potential attack surface for an impersonator.
The economics are brutal. A mid-size GC processes $2M–$10M in monthly pay applications across dozens of subs. A single spoofed banking change that goes through means the GC pays twice — once to the attacker, once to the sub when they discover the wire didn't arrive. Recovery rate on fraudulent wire transfers is under 20%. Once the wire clears, the money is gone.
The second attack surface is project management platform credentials. Procore, Bluebeam, PlanGrid, and Buildertrend store sub contact lists, cost data, bid information, and project files — everything an attacker needs to run a convincing BEC campaign against your entire project team. Phishing emails impersonating Procore notifications are the most common vector we see in construction. A compromised admin account means the attacker has full visibility into your pipeline before they ever touch a dollar.
The third piece is subcontractor credential hygiene. Most GCs don't have visibility into how securely their specialty subs manage credentials. A compromised sub email account — one electrician, one plumber — can be used to send change-of-banking emails that appear to come from a trusted project participant. The GC has no reason to suspect it. The wire goes out.
The final vulnerability is mobile and jobsite exposure. Field supervisors and PMs check project portals from jobsite Wi-Fi networks with no access controls. Unpatched phones, open networks, and session-cookie theft mean a lost or compromised device can hand an attacker access to every active project. No VPN, no MDM, no alert.
FBI IC3 data shows construction firms lose an average of $447,000 per wire fraud incident — with a recovery rate under 20%. The common denominator across all incidents: the controller who approved the wire had never seen a formal BEC training session.
Not generic security awareness videos. Scenarios drawn from the actual attack patterns that hit construction firms — draw-request BEC, project file credential theft, and ransomware in a project management context. These are the exact patterns the FBI and construction industry associations document.
Your controller receives an email from what looks like your largest subcontractor — same display name, matching email domain signature, correct project name and pay app amount in the subject line. They want to update their ACH routing details before a $400,000 pay app releases. This drill walks your finance and project management team through the exact decision tree that stops these requests cold: phone verification, DNS lookups, and the documentation trail that protects your firm if one slips through.
Project management and design collaboration platforms (Procore, Bluebeam, PlanGrid, Buildertrend) store the data attackers want most: sub contact lists, bids, cost data, and RFIs. A phishing email to a PM's account can give an attacker everything they need to run a convincing BEC campaign against your entire project team — and to encrypt every active project folder. This drill trains your PMs and admins on credential hygiene for the tools they use every day.
When ransomware hits your project management environment — Procore is encrypted, every active project folder is locked, submittal deadlines are missed, bonding milestones are at risk — the decisions made in the first 60 minutes determine whether you recover in days or weeks. This tabletop exercise walks your leadership team through a realistic construction ransomware scenario: triage, sub communication, insurance notification, and BC/DR activation for a mid-size GC environment.
For federally funded construction projects (DoD, GSA, DOT), DFARS clause 7012 and NIST SP 800-171 require controlled unclassified information (CUI) safeguards — including documented workforce cybersecurity training. Even without direct CUI handling, project owners and primes are increasingly flowing cybersecurity requirements down to every tier. Separately, cyber insurance underwriters now require documented security awareness training before binding construction firm policies — and the training certificate from our session serves as that evidence.
CMMC / DFARS Training →A step-by-step playbook for the first 60 minutes after a wire fraud incident or suspected BEC attack — covering freeze protocol, sub communication, law enforcement contact, and insurance notification. Includes a subcontractor banking change verification checklist your finance team can use immediately.
Download the Free Wire Fraud Defense Playbook →All three tiers include wire fraud/BEC defense, PM platform credential security, and documented training records. Pick the tier that fits your organization.
Procore itself is well-secured — the risk is your team credentials. Phishing emails impersonating Procore notifications are one of the most common vectors we see in construction. Session tokens, API keys, and admin-level accounts are the targets. Our session includes credential hygiene protocol for your Procore account and a written policy for credential management across your entire project management stack.
Increasingly yes. Cyber incidents involving subs create liability exposure for GCs, and bonding companies and project owners are adding cybersecurity questionnaire requirements to prequalification. A GC with documented cybersecurity training for all project participants — including sub trades — is better positioned in prequal and has stronger defenses when a sub compromise ripples upstream.
Most commercial cyber insurers now require: documented security awareness training for all employees, MFA on email and project management platforms, regular backups with offline copies, an incident response plan, and proof of vendor/supplier credential hygiene. The training certificate from our session serves as documented evidence for underwriting questionnaires and renewal applications.
The Business-tier session is designed for exactly this. It runs as a live 2-hour webinar with unlimited participants — office staff and field personnel join from wherever they are. We cover mobile device security, jobsite Wi-Fi risks, and credential management specifically for field conditions. The role-specific guidance lands better with supers and foremen than generic cybersecurity content.
Yes — if you handle CUI on federal projects, DFARS clause 7012 and NIST SP 800-171 apply. Even if you don't handle CUI directly, project owners and primes are increasingly flowing cybersecurity requirements down to all tiers. Our Executive session includes a walkthrough of the NIST framework as it applies to construction firm workflows — including document management, sub-tier communication, and field collaboration.
Same week in most cases. Personal sessions can be scheduled within 48 hours. Executive sessions typically book within 3–5 business days. Business tier includes a 15-minute intake call to confirm headcount and session timing, then we schedule your 2-hour team webinar at your convenience. Emergency sessions (active BEC concern or suspected compromise) are available within 15 minutes, 24/7. Book directly via Calendly — no procurement delay or proposal process required.
One wire to the wrong account costs more than a year of training. Your next pay app request could be the one an attacker is watching. Book a session and get your finance team, PMs, and field supervisors trained before the next change-of-banking email hits your inbox.