Skip to main content
Construction & General Contracting · Cybersecurity Training

Wire fraud on your draw request. Ransomware on your project files. Both start with one email.

Bird Construction. Bouygues Construction. Regional GCs hit for $447K+ on a single wire transfer. Ransomware encrypting Revit models and Procore vaults on active jobsites. Live expert training built for GCs, project managers, AP teams, and ownership groups.

$447K Average wire fraud loss per construction incident (FBI IC3 2023)
65% Of construction firms hit by a cyberattack in the past 12 months (Procore & Dodge 2023)
#3 Construction is the 3rd most ransomware-targeted sector globally (Dragos 2024)

Defining incidents — what it looks like when it goes wrong

Bird Construction / Maze
Maze ransomware — data exfiltrated & published, Jan 2020
Project data, employee records stolen; leak site used as leverage. Source: Bleeping Computer, Maze leak site
Bouygues Construction / Maze
$10M ransom demand — 200MB data stolen, Feb 2020
80-country ops shut down globally; employee HR records published; refused to pay. Source: ZDNet, Maze leak site
DHS CISA / Dragos OT/ICS
Construction OT/ICS: HVAC, elevator, BAS — ransomware entry points
CISA AA23-047 / Dragos 2024: building management systems targeted via vendor portals & field device firmware. Source: CISA, Dragos
OSHA / FBI IC3 Construction
$447K avg wire fraud loss — FBI IC3 2023, $298B exposure
OSHA 29 CFR 1926 (cyber for contractor safety mgmt systems), FBI IC3 construction BEC pattern analysis. Source: FBI IC3 2023

Your biggest cybersecurity exposure isn't a data breach. It's a fraudulent wire transfer on a draw request.

Most cybersecurity training focuses on phishing awareness and password hygiene — designed for corporate office environments with defined IT perimeters. Construction doesn't work that way.

A general contractor's threat surface spans: AP teams processing draw requests and lien waiver payments; project managers using Procore, Bluebeam, and BIM 360 across dozens of active projects; field superintendents on tablets and personal phones accessing project documents over unprotected Wi-Fi; and a subcontractor supply chain where dozens of small companies have direct email relationships with your accounting staff.

Wire fraud in construction exploits every one of these touchpoints. Supplier-impersonation BEC reroutes subcontractor payments mid-project. Ransomware on BIM files doesn't just cost data — it triggers liquidated damages clauses and can push a delayed project into default. SecurEveryone's construction program trains the exact workflows where these attacks actually happen.

Four attack vectors targeting construction firms right now

Construction isn't just a ransomware target — it's a target for draw-payment wire fraud, BIM/CAD file theft, supplier-impersonation BEC, and OT/ICS compromise via building management systems. Here's the full picture.

💰

Draw-Payment Wire Fraud

Attackers compromise owner-rep, title company, or GC accounting email, then intercept draw requests and substitute fraudulent wire routing instructions. FBI IC3 2023: construction averages $447K per incident. The recall window is 24–72 hours — after that, funds are unrecoverable.

📁

BIM & Project File Ransomware

Autodesk Revit models, BIM 360 vaults, and Procore document storage are prime ransomware targets. An encrypted BIM file on an active project can trigger liquidated damages clauses. Bird Construction (Maze) and Bouygues ($10M demand) demonstrate the full project-level cascade.

🏗️

Supplier-Impersonation BEC

Subcontractor email compromise redirects payment to fraudulent accounts mid-project. Attackers monitor weeks of correspondence before striking. The vendor's domain, format, and signature all check out — the missing step is the out-of-band phone call to a known number.

🏢

OT/ICS & Building Management Systems

Construction firms managing commercial projects increasingly operate OT: HVAC controls, elevator systems, BAS (building automation). Dragos 2024 and CISA AA23-047 document ransomware groups targeting building management via vendor portals and field device firmware. OSHA 29 CFR 1926 intersects with cyber risk management.

These aren't hypotheticals. They're case studies from active projects.

Bird Construction
January 2020

Maze ransomware operators targeted Bird Construction, one of Canada's largest general contractors. The attackers exfiltrated sensitive files — including employee records, contracts, and project data — before encrypting systems. Maze's standard tactic was to publicly publish stolen data to force ransom payment, putting project stakeholders and subcontractors at risk of data exposure.

Impact: Data exfiltration + encryption · Source: Maze ransomware leak site; Bleeping Computer, January 2020
Bouygues Construction
February 2020

Maze ransomware also hit Bouygues Construction, the French construction giant with operations across 80 countries. The attackers demanded $10M in ransom and stole 200MB of sensitive data including employee and HR records. Bouygues refused to pay; attackers subsequently published the stolen data. The incident forced emergency IT shutdowns across global operations.

Impact: $10M ransom demand, global IT shutdown · Source: ZDNet, February 2020; Maze leak site
Regional GC — Western U.S.
2022

A mid-size general contractor in the Western U.S. lost $310,000 in a draw-payment wire fraud scheme. Attackers had compromised the owner's representative email for weeks before the draw was issued. When the AP team sent the draw request, the attacker intercepted it and replied with modified wire routing instructions. By the time the fraud was discovered, funds had been dispersed by the receiving bank.

Impact: $310,000 unrecovered · Source: FBI IC3 Construction Sector Advisory 2023
Specialty Subcontractor — Southeast
2023

A mechanical subcontractor received a supplier-impersonation BEC email appearing to come from a long-term material supplier requesting a banking change for an upcoming invoice. The AP team complied; $78,000 in payment was rerouted to a fraudulent account. No single employee was at fault — the email matched the supplier's domain, format, and signature. The missing step: an out-of-band phone call to a known number to verify the change.

Impact: $78,000 unrecovered · Source: FBI IC3 2023 Internet Crime Report (construction sector)

Three drills. Every session built around your project workflows and payment processes.

Drill 1 · AP Team & Ownership
Draw-Payment Wire Fraud Verification Protocol

Walk AP teams, project controllers, and ownership through the exact BEC patterns used to hijack draw requests and subcontractor payments. Using anonymized FBI IC3 construction fraud cases, participants work through live simulations of wire routing change requests, owner-rep email spoofs, and mid-draw intercept scenarios. The session establishes a written callback verification protocol — matching the verified construction industry best practice of out-of-band phone confirmation before any wire routing change. Includes a post-drill template for internal wire verification SOPs.

Roles: AP Manager, Project Controller, CFO, Ownership Group
Format: Live scenario walkthrough + SOP template, 60–90 min
Compliance: CIS Controls v8 Control 14, NIST CSF PR.AT
Drill 2 · PMs, Supers & Field Staff
Subcontractor Invoice Authentication & Credential Hygiene on Procore/Bluebeam

Project managers, field superintendents, and estimators face a different threat: fake subcontractor invoice emails with modified payment details, credential phishing disguised as Procore or Bluebeam login pages, and social engineering via text messages impersonating the GC or owner. This drill trains participants to authenticate subcontractor payment change requests using a documented callback chain, identify fake platform login pages, and maintain credential hygiene when accessing project management tools across multiple jobsites and devices. Covers the mechanics of how attackers build lookalike Procore login domains.

Roles: Project Manager, Superintendent, Estimator, Field Admin
Format: Live drill + hands-on credential hygiene module, 45–60 min
Compliance: CIS Controls v8 Control 5 & 14, CMMC 2.0 AT.L2
Drill 3 · Executive & Operations Leadership
Ransomware Tabletop — Project-File Encryption & IR Response

Walk executive leadership and operations through a ransomware tabletop specifically designed for active construction projects. Scenario: ransomware encrypts BIM 360 vaults, Procore document storage, and shared Revit project files on three concurrent active jobsites. Participants work through: 15-minute detection and isolation decision, draw request and lien waiver suspension protocol, owner and subcontractor notification, liquidated damages risk assessment, cyber insurance claim initiation, and CISA reporting under CIRCIA. Based on the Bird Construction and Bouygues incident timelines. Leadership leaves with a completed project-specific IR decision matrix.

Roles: CEO, COO, CFO, VP Operations, IT Director, Legal
Format: Live tabletop, 90–120 min
Compliance: CIRCIA reporting, CMMC 2.0 IR.L2, NIST CSF 2.0

The construction compliance stack — what applies to your firm

Federal contracts, CMMC requirements, and critical infrastructure projects each add a layer. Here's what applies to your operation.

Regulation / Framework Agency Key Requirement Applies To
CMMC 2.0 Level 2 DoD / DCSA AT.L2-3.2.1 + AT.L2-3.2.2: security awareness training for all CUI-handling staff. Completion records C3PAO audit-ready. DoD / Federal Contractors
NIST SP 800-171 Rev 3 NIST / DoD AT 3.2.1 + 3.2.2: documented security awareness training for all covered personnel. Session-level completion records required. DFARS / CUI Handlers
DFARS 252.204-7012 DoD Safeguarding Covered Defense Information — NIST SP 800-171 implementation plan required; training documentation a direct control requirement. Defense Contractors
CIRCIA CISA 72-hour cyber incident reporting; 24-hour ransom payment reporting. Construction firms on critical infrastructure contracts may fall under mandatory reporting. Critical Infrastructure Projects
OSHA 29 CFR 1926 OSHA / DOL Job site safety management systems increasingly include cyber risk to OT/BMS on active construction sites. Contractor cyber hygiene intersects with safety program requirements. All Contractors
CIS Controls v8 CIS Control 14 (Security Awareness and Skills Training): baseline standard for firms not on federal contracts. Maps to wire transfer verification, phishing resistance, incident response. Private Sector GCs

See CMMC 2.0 details and ISO 27001 training for full framework walkthroughs.

🔐
Free: Wire Fraud Defense Playbook
13-page playbook covering 5 BEC variants targeting construction firms — draw request intercept, owner-rep impersonation, supplier banking change, lien waiver spoofing, title company wire. Includes FBI Financial Fraud Kill Chain first-hour protocol and callback SOP template.
Download Free →
🗂️
Free: Incident Response Plan Template
12-page IR plan template built for GCs. Covers roles, escalation paths, project-specific communication templates (owner notification, subcontractor holds), CISA/CIRCIA notification timelines. 83% of GCs have no documented IR plan.
Download Free →

One flat rate. Unlimited users. No per-seat billing.

Personal
$150
One-on-one session for an individual — wire fraud risk assessment, BEC recognition, and Q&A built around your specific role in the project delivery process.
  • 60-minute live Zoom / Meet / Teams
  • Construction-specific threat scenarios
  • Wire fraud verification protocol
  • 24/7 emergency session (+$100)
Book Personal — $150 →
Business · Unlimited Users
$900
Train your entire team — AP staff, PMs, field supers, and executives in separate targeted sessions. One flat rate covers the whole firm, no per-seat billing.
  • 2-hour comprehensive team session
  • Unlimited participants — flat rate
  • Separate AP, field, and exec segments
  • Wire verification SOP template
  • Compliance documentation package
  • CMMC-formatted training records
Book Business — $900 flat →

Questions from GCs, project managers, and ownership groups.

How do attackers target construction draw payments and wire transfers?

Business Email Compromise (BEC) targeting draw requests is the dominant fraud pattern in construction. Attackers compromise an email account — typically the owner's rep, the title company, or a GC accounting contact — and monitor ongoing project correspondence for weeks or months. When a draw request or wire instruction is issued, they intercept or spoof the email and substitute fraudulent banking information. The FBI IC3 2023 report shows construction wire fraud averaging $447,000 per incident. The Business tier ($900 flat) trains the entire AP team, PMs, and ownership on the exact verification callbacks and out-of-band confirmation steps that stop these intercepts.

What ransomware risk does construction face beyond general IT threats?

Construction has three ransomware exposure points that generic IT training doesn't address: BIM and CAD file encryption (Autodesk Revit, BIM 360, Procore document vaults), project management platform ransomware (locking out scheduling, RFIs, submittals on live jobsites), and mobile device compromise from field staff accessing project files on personal phones over unsecured Wi-Fi. Ransomware on a construction jobsite doesn't just cost data — it stops draws, triggers liquidated damages clauses, and can push a delayed project into default.

Does our CMMC 2.0 requirement as a federal contractor apply to construction projects?

Yes. Any construction firm holding DoD contracts — including military base construction, government facility projects, or federal infrastructure contracts — that handles Controlled Unclassified Information (CUI) must meet CMMC 2.0 requirements. Level 2 requires 110 NIST SP 800-171 controls including AT.L2-3.2.1 and AT.L2-3.2.2 (security awareness training for all CUI-handling staff). This applies to field superintendents, PMs, and office staff who access contract documents, drawings, and specifications. SecurEveryone's completion records are formatted for C3PAO audit evidence.

How do you train field crews and site superintendents who don't use computers regularly?

The Business tier ($900 flat, unlimited users) is designed for exactly this. Field crews and supers face a specific threat profile: credential theft via fake Procore or Bluebeam login pages, phishing text messages impersonating project owners or OSHA, and social engineering at the jobsite trailer. We run 30-minute focused sessions for field teams covering mobile security, credential hygiene on site tablets, and social engineering recognition — all contextualized to construction workflows. Separate 90-minute sessions run for PMs, estimators, and office staff covering BEC, wire fraud verification, and ransomware response.

What compliance documentation does SecurEveryone provide for construction firms?

Every session includes a written completion record with: session date, attendee count (de-identified), curriculum modules covered, threat scenarios addressed, and a signed instructor attestation. This satisfies CMMC 2.0 AT.L2-3.2.1 and AT.L2-3.2.2 awareness training requirements (formatted for C3PAO evidence); NIST SP 800-171 awareness training requirements for federal contractors; ISO 27001:2022 Annex A 6.3; and CIS Controls v8 Control 14 documentation.

What should a GC do immediately if a wire transfer is suspected to be fraudulent?

Speed is everything. Call your bank's fraud hotline immediately — do not email. SWIFT/wire transfers have a narrow recall window (typically 24–72 hours before funds are dispersed by the receiving bank). Simultaneously, file an FBI IC3 complaint at ic3.gov — the FBI's Financial Fraud Kill Chain (FFKC) can freeze funds at receiving banks if the report is made within 48 hours. Contact your cyber insurance carrier to trigger the incident response clause. Our Wire Fraud Defense Playbook (free at /free-wire-fraud-playbook) walks through the full first-hour protocol including bank contact scripts and FBI notification steps.

Free Download

BEC Defense Playbook — 11 pages, free

5 attack patterns, DMARC enforcement guide, out-of-band verification protocol, and 3 tabletop scenarios. Built for construction firms handling draw requests, vendor payments, and subcontractor wires.

Get the Playbook →

Ready to protect your next draw request?

Book a session directly below. Every session is live, expert-led, and built around your specific project environment — general contracting, specialty sub, federal construction, or real estate development.

SecurEveryone · CMMC 2.0 · NIST 800-171 · CIS Controls · Wire Fraud Defense · BIM Ransomware Response · $900 flat · Unlimited users