Bird Construction. Bouygues Construction. Regional GCs hit for $447K+ on a single wire transfer. Ransomware encrypting Revit models and Procore vaults on active jobsites. Live expert training built for GCs, project managers, AP teams, and ownership groups.
Most cybersecurity training focuses on phishing awareness and password hygiene — designed for corporate office environments with defined IT perimeters. Construction doesn't work that way.
A general contractor's threat surface spans: AP teams processing draw requests and lien waiver payments; project managers using Procore, Bluebeam, and BIM 360 across dozens of active projects; field superintendents on tablets and personal phones accessing project documents over unprotected Wi-Fi; and a subcontractor supply chain where dozens of small companies have direct email relationships with your accounting staff.
Wire fraud in construction exploits every one of these touchpoints. Supplier-impersonation BEC reroutes subcontractor payments mid-project. Ransomware on BIM files doesn't just cost data — it triggers liquidated damages clauses and can push a delayed project into default. SecurEveryone's construction program trains the exact workflows where these attacks actually happen.
Maze ransomware operators targeted Bird Construction, one of Canada's largest general contractors. The attackers exfiltrated sensitive files — including employee records, contracts, and project data — before encrypting systems. Maze's standard tactic was to publicly publish stolen data to force ransom payment, putting project stakeholders and subcontractors at risk of data exposure.
Maze ransomware also hit Bouygues Construction, the French construction giant with operations across 80 countries. The attackers demanded $10M in ransom and stole 200MB of sensitive data including employee and HR records. Bouygues refused to pay; attackers subsequently published the stolen data. The incident forced emergency IT shutdowns across global operations.
A mid-size general contractor in the Western U.S. lost $310,000 in a draw-payment wire fraud scheme. Attackers had compromised the owner's representative email for weeks before the draw was issued. When the AP team sent the draw request, the attacker intercepted it and replied with modified wire routing instructions. By the time the fraud was discovered, funds had been dispersed by the receiving bank.
A mechanical subcontractor received a supplier-impersonation BEC email appearing to come from a long-term material supplier requesting a banking change for an upcoming invoice. The AP team complied; $78,000 in payment was rerouted to a fraudulent account. No single employee was at fault — the email matched the supplier's domain, format, and signature. The missing step: an out-of-band phone call to a known number to verify the change.
Walk AP teams, project controllers, and ownership through the exact BEC patterns used to hijack draw requests and subcontractor payments. Using anonymized FBI IC3 construction fraud cases, participants work through live simulations of wire routing change requests, owner-rep email spoofs, and mid-draw intercept scenarios. The session establishes a written callback verification protocol — matching the verified construction industry best practice of out-of-band phone confirmation before any wire routing change. Includes a post-drill template for internal wire verification SOPs.
Project managers, field superintendents, and estimators face a different threat: fake subcontractor invoice emails with modified payment details, credential phishing disguised as Procore or Bluebeam login pages, and social engineering via text messages impersonating the GC or owner. This drill trains participants to authenticate subcontractor payment change requests using a documented callback chain, identify fake platform login pages, and maintain credential hygiene when accessing project management tools across multiple jobsites and devices. Covers the mechanics of how attackers build lookalike Procore login domains.
Walk executive leadership and operations through a ransomware tabletop specifically designed for active construction projects. Scenario: ransomware encrypts BIM 360 vaults, Procore document storage, and shared Revit project files on three concurrent active jobsites. Participants work through: 15-minute detection and isolation decision, draw request and lien waiver suspension protocol, owner and subcontractor notification, liquidated damages risk assessment, cyber insurance claim initiation, and CISA reporting under CIRCIA. Based on the Bird Construction and Bouygues incident timelines. Leadership leaves with a completed project-specific IR decision matrix.
Business Email Compromise (BEC) targeting draw requests is the dominant fraud pattern in construction. Attackers compromise an email account — typically the owner's rep, the title company, or a GC accounting contact — and monitor ongoing project correspondence for weeks or months. When a draw request or wire instruction is issued, they intercept or spoof the email and substitute fraudulent banking information. The FBI IC3 2023 report shows construction wire fraud averaging $447,000 per incident. The Business tier ($900 flat) trains the entire AP team, PMs, and ownership on the exact verification callbacks and out-of-band confirmation steps that stop these intercepts.
Construction has three ransomware exposure points that generic IT training doesn't address: BIM and CAD file encryption (Autodesk Revit, BIM 360, Procore document vaults), project management platform ransomware (locking out scheduling, RFIs, submittals on live jobsites), and mobile device compromise from field staff accessing project files on personal phones over unsecured Wi-Fi. Ransomware on a construction jobsite doesn't just cost data — it stops draws, triggers liquidated damages clauses, and can push a delayed project into default.
Yes. Any construction firm holding DoD contracts — including military base construction, government facility projects, or federal infrastructure contracts — that handles Controlled Unclassified Information (CUI) must meet CMMC 2.0 requirements. Level 2 requires 110 NIST SP 800-171 controls including AT.L2-3.2.1 and AT.L2-3.2.2 (security awareness training for all CUI-handling staff). This applies to field superintendents, PMs, and office staff who access contract documents, drawings, and specifications. SecurEveryone's completion records are formatted for C3PAO audit evidence.
The Business tier ($900 flat, unlimited users) is designed for exactly this. Field crews and supers face a specific threat profile: credential theft via fake Procore or Bluebeam login pages, phishing text messages impersonating project owners or OSHA, and social engineering at the jobsite trailer. We run 30-minute focused sessions for field teams covering mobile security, credential hygiene on site tablets, and social engineering recognition — all contextualized to construction workflows. Separate 90-minute sessions run for PMs, estimators, and office staff covering BEC, wire fraud verification, and ransomware response.
Every session includes a written completion record with: session date, attendee count (de-identified), curriculum modules covered, threat scenarios addressed, and a signed instructor attestation. This satisfies CMMC 2.0 AT.L2-3.2.1 and AT.L2-3.2.2 awareness training requirements (formatted for C3PAO evidence); NIST SP 800-171 awareness training requirements for federal contractors; ISO 27001:2022 Annex A 6.3; and CIS Controls v8 Control 14 documentation.
Speed is everything. Call your bank's fraud hotline immediately — do not email. SWIFT/wire transfers have a narrow recall window (typically 24–72 hours before funds are dispersed by the receiving bank). Simultaneously, file an FBI IC3 complaint at ic3.gov — the FBI's Financial Fraud Kill Chain (FFKC) can freeze funds at receiving banks if the report is made within 48 hours. Contact your cyber insurance carrier to trigger the incident response clause. Our Wire Fraud Defense Playbook (free at /free-wire-fraud-playbook) walks through the full first-hour protocol including bank contact scripts and FBI notification steps.
Book a session directly below. Every session is live, expert-led, and built around your specific project environment — general contracting, specialty sub, federal construction, or real estate development.