Construction Wire Fraud Prevention Procedure

1. Never accept banking changes over email without verification using a known-good contact method.
2. Never approve urgent exceptions without a second reviewer and documented verification steps.

These two rules will prevent the vast majority of payment fraud in construction. They are simple to state and require discipline to enforce, especially when project timelines create pressure to move fast. The attackers know this and exploit it.

The mechanism is almost always the same: Business Email Compromise. An attacker gains access to a vendor or executive email account, monitors invoice threads for days or weeks, then inserts a last-minute banking change request that looks like it comes from a legitimate party. Because the email lands in an existing conversation thread, it passes a casual visual check.

Related: Business Email Compromise (BEC).

The urgency framing is intentional. Attackers know that payment departments face deadlines and that questioning a vendor request can feel like delaying a project. A typical fraudulent request might say the banking change is needed to meet a payment deadline, that the vendor is switching banks, or that the original account had an issue. These explanations sound plausible because they reference real situations that happen every day in construction.

The defense is a process that does not depend on recognizing a fraudulent email in the moment. Even experienced professionals miss well-crafted BEC attempts because the emails look legitimate. The verification step exists precisely because visual inspection alone is unreliable. If your process requires out-of-band verification before any banking change is processed, you do not need to identify the fraud in the email; you just need to follow the procedure every time.

Construction firms that have been through a fraud attempt often describe the same experience in hindsight: the email looked normal, the timing seemed right, and the only thing that would have caught it was the verification step. The attackers are not amateurs. They research your company, learn your vendor relationships, and craft requests that fit the patterns of legitimate communication. Your best defense is not better email filtering, though that helps, but a verification process that is followed consistently regardless of urgency.

# Construction Wire Fraud Prevention SOP (Payment Change Verification)

## Scope
Applies to: new payees, changes to vendor/subcontractor banking details, and any change to invoice remittance instructions.

## Roles
- Requester (PM / Project Admin): collects change request and supporting docs
- Verifier (AP Lead): performs out-of-band verification
- Approver (Controller / Finance Lead): approves changes above threshold and all exceptions

## Procedure
1) Log the request
   - Create a ticket or log entry with vendor name, project/job, requested change, and requester.

2) Do not use email-thread contact info
   - Do NOT use the phone number or link in the email.
   - Use the vendor master record or a previously verified contact.

3) Perform out-of-band callback verification
   - Call a known-good number and verify:
     - vendor identity
     - requested bank name and last 4 of account
     - effective date and reason for change
   - Record date/time, who you spoke with, and what was verified.

4) Require dual approval
   - Banking changes: AP Lead + Finance Approver.
   - New payee: AP Lead + Finance Approver.

5) Update vendor record
   - Update remittance details in your accounting system.
   - Attach verification notes and evidence.

## Exceptions
- All exceptions require Finance Approver sign-off and documentation.

## If fraud is suspected
- Contact bank immediately for recall/hold.
- Preserve evidence (emails, headers, ticket notes).
- Report to IC3.

Related: email authentication and MFA.

Construction firms are attractive BEC targets for structural reasons. Projects involve multiple subcontractors and vendors who change from job to job. Invoice volumes are high, and payment timelines are often compressed by schedule pressure. Attackers exploit these conditions by researching your company and your vendor relationships before they ever send a fraudulent email.

The research phase is often invisible. Attackers monitor public bid results, project announcements, and subcontractor directories to learn who works with whom. They harvest email addresses from websites, LinkedIn profiles, and industry directories. Some compromise a vendor mailbox weeks before the fraud attempt, watching invoice threads to learn payment patterns, dollar amounts, and the names of people who handle approvals. By the time the fraudulent banking change request arrives, the attacker has enough context to make it look routine.

The timing of the request is deliberate. Fraudulent payment changes often arrive near month-end or quarter-end, when accounting teams are processing high volumes and time pressure makes thorough verification feel like a bottleneck. The request itself typically appears in an existing email thread, replying to a real invoice, so it inherits the visual legitimacy of the conversation. These details are why out-of-band verification using contact data you already trust is so important: the email itself is designed to pass a casual check.

Related: Business Email Compromise (BEC) and construction and real estate industry brief.

The vendor master record is your single source of truth for payment contact information. If the record is incomplete, outdated, or accessible to too many people, the out-of-band verification step in your SOP becomes harder to execute reliably.

Start by ensuring every active vendor has a verified primary contact phone number that was confirmed through a channel other than email. This is the number you call when a banking change request arrives. If the vendor master record only contains an email address, you have no independent way to verify a change request, and the entire procedure rests on a single compromised channel.

When onboarding a new vendor, collect the verification contact information at the same time as banking details. Do not wait until a change request arrives to discover that the only contact information on file came from the same email thread that is now requesting a change. This upfront investment makes the verification step faster and more reliable when it matters.

Limit who can update vendor banking details in your accounting system. In many construction firms, anyone in AP or project management can modify remittance information. Tighten this to a small group with documented approval authority, and require that every banking change pass through the verification SOP before the record is updated. Audit the vendor master periodically for stale or missing contact information, and treat that audit as part of your standard financial controls rather than an IT task.

Consider implementing a change log for vendor banking updates that captures who made the change, when, and what verification was performed. This creates an audit trail that is useful both for internal review and for demonstrating controls to auditors, insurers, or customers who ask about your payment security practices. A change log also makes it easier to investigate if a fraudulent change was processed despite the verification procedure.

Related: RBAC guide and IT vendor management.

The procedure only works if the people who receive payment change requests know what to do with them. Training should cover three things: what BEC looks like in a construction context, what the SOP requires them to do, and why deviations are dangerous even under time pressure.

Focus training on the specific scenarios your teams encounter. Project managers often receive vendor change requests during active jobs and may feel pressure to keep payments moving. Accounts payable may process dozens of invoices per day and can miss a single banking change buried in a reply thread. Role-specific examples, including screenshots of real (anonymized) attempts, are more effective than generic security awareness slides.

Reinforce the training with periodic reminders. A brief mention in a monthly AP meeting or a project kickoff checklist keeps the procedure visible without requiring a full retraining session. When a real attempt is caught, share the details internally (without attributing blame) so the team sees that the controls work and the threat is real.

Related: security awareness training.

Process stops fraud, but technology makes the process harder to bypass. DMARC, DKIM, and SPF reduce the chance that spoofed emails reach your inbox in the first place. MFA on email and finance accounts prevents credential-based mailbox compromise, which is how most BEC attacks start. These technical controls are complementary to the verification procedure: they reduce the volume of fraudulent requests that reach your team, while the procedure catches whatever gets through.

Access governance matters too. Keep payment approval roles tight and reviewed regularly. See our RBAC guide for more on least-privilege access patterns. When fewer people can approve payments, exceptions stand out faster and social engineering has fewer entry points.

Related: identity foundations.