Construction Cybersecurity Training

Your next draw request could be a phishing email.

Wire fraud cost construction companies an average of $447,000 per incident in 2023. Subcontractor change-of-banking emails, spoofed Procore notifications, and project file ransomware are hitting GCs and specialty subs daily — and most teams have never been trained to recognize them. Live expert training built for the construction threat landscape. From $150.

$447K Average construction wire fraud loss (2023)
$298B Annual construction wire fraud exposure (FBI IC3)
65% Of construction firms hit by BEC in 2023

You move large, time-sensitive wire transfers. That's exactly what attackers want.

Construction is uniquely exposed to wire fraud for one reason: your payment cycle depends on trust-based, email-anchored communication. Subcontractors send banking changes by email. Project managers approve draw requests by email. GCs forward pay app instructions by email. Every step of the payment chain runs through an email thread — and every email thread is a potential attack surface for an impersonator.

The economics are brutal. A mid-size GC processes $2M–$10M in monthly pay applications across dozens of subs. A single spoofed banking change that goes through means the GC pays twice — once to the attacker, once to the sub when they discover the wire didn't arrive. Recovery rate on fraudulent wire transfers is under 20%. Once the wire clears, the money is gone.

The second attack surface is project management platform credentials. Procore, Bluebeam, PlanGrid, and Buildertrend store sub contact lists, cost data, bid information, and project files — everything an attacker needs to run a convincing BEC campaign against your entire project team. Phishing emails impersonating Procore notifications are the most common vector we see in construction. A compromised admin account means the attacker has full visibility into your pipeline before they ever touch a dollar.

The third piece is subcontractor credential hygiene. Most GCs don't have visibility into how securely their specialty subs manage credentials. A compromised sub email account — one electrician, one plumber — can be used to send change-of-banking emails that appear to come from a trusted project participant. The GC has no reason to suspect it. The wire goes out.

The final vulnerability is mobile and jobsite exposure. Field supervisors and PMs check project portals from jobsite Wi-Fi networks with no access controls. Unpatched phones, open networks, and session-cookie theft mean a lost or compromised device can hand an attacker access to every active project. No VPN, no MDM, no alert.

  • Webex & Construction Event Phishing (2023) Attackers impersonated construction software vendors (Procore, Buildertrend) with phishing campaigns targeting PM and admin accounts. Credential harvesting led to project file access and fraudulent banking change requests across multiple regional GCs.
  • Mortenson Construction — Vendor Compromise (2023) A supply chain compromise affected a major construction firm's project management credentials. Attackers used the trusted vendor relationship to send spoofed banking change emails to GC finance teams, resulting in six-figure wire losses before detection.
  • Regional GC — Subcontractor Email Spoofing (2022) A 75-person regional GC received a change-of-banking email from what appeared to be their HVAC subcontractor — same display name, matching formatting, correct project name in the subject line. Controller approved the $310,000 pay app wire. Wire went to attacker account. Recovery attempt was unsuccessful.
  • Specialty Sub — Project File Ransomware (2022) A plumbing subcontractor had an admin's Procore account phished via a fake RFQ attachment. Ransomware encrypted every active project folder — bids, submittals, RFIs, and change order logs. Two-week recovery delay cost the sub $180,000 in missed deadlines and bonding delays.

FBI IC3 data shows construction firms lose an average of $447,000 per wire fraud incident — with a recovery rate under 20%. The common denominator across all incidents: the controller who approved the wire had never seen a formal BEC training session.

3 drills built for the construction threat landscape.

Not generic security awareness videos. Scenarios drawn from the actual attack patterns that hit construction firms — draw-request BEC, project file credential theft, and ransomware in a project management context. These are the exact patterns the FBI and construction industry associations document.

Drill 01
🏗️

Wire Fraud / BEC Tabletop — Draw Request Simulation

Your controller receives an email from what looks like your largest subcontractor — same display name, matching email domain signature, correct project name and pay app amount in the subject line. They want to update their ACH routing details before a $400,000 pay app releases. This drill walks your finance and project management team through the exact decision tree that stops these requests cold: phone verification, DNS lookups, and the documentation trail that protects your firm if one slips through.

  • FBI IC3 BEC attack patterns for construction specifically
  • Subcontractor banking change verification protocol
  • Email header analysis — how to spot a spoofed sender
  • Draw request escalation chain and dual authorization
  • Documented training record for cyber insurance underwriting
Drill 02
📐

Procore / Bluebeam / PlanGrid — Credential Hygiene for PM Teams

Project management and design collaboration platforms (Procore, Bluebeam, PlanGrid, Buildertrend) store the data attackers want most: sub contact lists, bids, cost data, and RFIs. A phishing email to a PM's account can give an attacker everything they need to run a convincing BEC campaign against your entire project team — and to encrypt every active project folder. This drill trains your PMs and admins on credential hygiene for the tools they use every day.

  • Procore and Bluebeam credential security fundamentals
  • Recognizing phishing emails impersonating construction software vendors
  • Session token protection and multi-device access protocols
  • Admin account hygiene — least-privilege access and offboarding
  • Sub-tier credential hygiene and vendor access controls
Drill 03
🏦

IR Tabletop: Ransomware on Project Management Platforms

When ransomware hits your project management environment — Procore is encrypted, every active project folder is locked, submittal deadlines are missed, bonding milestones are at risk — the decisions made in the first 60 minutes determine whether you recover in days or weeks. This tabletop exercise walks your leadership team through a realistic construction ransomware scenario: triage, sub communication, insurance notification, and BC/DR activation for a mid-size GC environment.

  • Ransomware triage for project management environments
  • Submittal deadline management during platform outage
  • Bonding milestone communication and documentation
  • Incident response escalation chain — who owns what decision
  • Cyber insurance notification timeline and documentation requirements

Federal contracts and cyber insurance both require documented training.

For federally funded construction projects (DoD, GSA, DOT), DFARS clause 7012 and NIST SP 800-171 require controlled unclassified information (CUI) safeguards — including documented workforce cybersecurity training. Even without direct CUI handling, project owners and primes are increasingly flowing cybersecurity requirements down to every tier. Separately, cyber insurance underwriters now require documented security awareness training before binding construction firm policies — and the training certificate from our session serves as that evidence.

CMMC / DFARS Training →
📋

Free: Wire Fraud Defense Playbook for Construction

A step-by-step playbook for the first 60 minutes after a wire fraud incident or suspected BEC attack — covering freeze protocol, sub communication, law enforcement contact, and insurance notification. Includes a subcontractor banking change verification checklist your finance team can use immediately.

Download the Free Wire Fraud Defense Playbook →

Book directly. No sales call required.

All three tiers include wire fraud/BEC defense, PM platform credential security, and documented training records. Pick the tier that fits your organization.

Personal
$150
60-minute 1:1 session
  • Draw-request and wire fraud recognition
  • PM platform credential hygiene (Procore / Bluebeam)
  • Mobile device security on jobsites
  • Personal security assessment
  • 24/7 emergency session access (+$100)
Book Personal — $150
Business
$900
2-hour team webinar · unlimited users
  • All 3 construction training drills for your full team
  • Finance + controller-specific BEC simulation
  • PM and admin credential security for all platforms
  • Field supervisor mobile and jobsite security module
  • Post-session written policy template package
Book Business — $900 flat

Questions from construction companies.

We use Procore for everything. Is our project data at risk?

Procore itself is well-secured — the risk is your team credentials. Phishing emails impersonating Procore notifications are one of the most common vectors we see in construction. Session tokens, API keys, and admin-level accounts are the targets. Our session includes credential hygiene protocol for your Procore account and a written policy for credential management across your entire project management stack.

Our subs have their own insurance and cybersecurity posture. Is that our problem?

Increasingly yes. Cyber incidents involving subs create liability exposure for GCs, and bonding companies and project owners are adding cybersecurity questionnaire requirements to prequalification. A GC with documented cybersecurity training for all project participants — including sub trades — is better positioned in prequal and has stronger defenses when a sub compromise ripples upstream.

What do cyber insurance underwriters actually require from construction firms?

Most commercial cyber insurers now require: documented security awareness training for all employees, MFA on email and project management platforms, regular backups with offline copies, an incident response plan, and proof of vendor/supplier credential hygiene. The training certificate from our session serves as documented evidence for underwriting questionnaires and renewal applications.

Our team is dispersed across jobsites. How does training work for field staff?

The Business-tier session is designed for exactly this. It runs as a live 2-hour webinar with unlimited participants — office staff and field personnel join from wherever they are. We cover mobile device security, jobsite Wi-Fi risks, and credential management specifically for field conditions. The role-specific guidance lands better with supers and foremen than generic cybersecurity content.

We bid on federally funded projects. Are there specific cybersecurity requirements?

Yes — if you handle CUI on federal projects, DFARS clause 7012 and NIST SP 800-171 apply. Even if you don't handle CUI directly, project owners and primes are increasingly flowing cybersecurity requirements down to all tiers. Our Executive session includes a walkthrough of the NIST framework as it applies to construction firm workflows — including document management, sub-tier communication, and field collaboration.

How fast can we get our team trained?

Same week in most cases. Personal sessions can be scheduled within 48 hours. Executive sessions typically book within 3–5 business days. Business tier includes a 15-minute intake call to confirm headcount and session timing, then we schedule your 2-hour team webinar at your convenience. Emergency sessions (active BEC concern or suspected compromise) are available within 15 minutes, 24/7. Book directly via Calendly — no procurement delay or proposal process required.

Ready to train your construction team?

One wire to the wrong account costs more than a year of training. Your next pay app request could be the one an attacker is watching. Book a session and get your finance team, PMs, and field supervisors trained before the next change-of-banking email hits your inbox.