From 3D printing and drone use, to increased use of tablets, laptops, smartphones, and wearables, the construction industry is becoming increasingly dependent on the use of technology. Use of augmented reality programs, advanced tracking technologies, and multi-user cloud-based platforms are on the rise; and while these technologies can increase efficiency, reduce costs, and increase worksite safety, they also come with increased risk. This article discusses two of these risks: business email compromise scams and malware.
- Business Email Compromise
While any business connected to the internet is a potential victim, one type of attack that has seen an increase in recent years is the business email compromise (BEC) scam. Also known as whaling, spear-phishing, or CEO/CFO fraud, the BEC is a method of attack in which the attacker fraudulently accesses company funds through the use of a spoofed or hijacked email account. The BEC attacker accomplishes this by infiltrating the company network, usually through a spear-phishing scam, and sending a fraudulent funds transfer request posing as either a trusted company executive or customer.
Consider the following news reports: in 2016, a construction company fell victim to a BEC scam when an employee was duped into sending the names, Social Security numbers, and tax withholding information of thousands of employees to a fake account in response to a fraudulent email request. In 2017, a university fell victim to a BEC scam when an employee transferred nearly $12 million to an account in response to scammers who posed as an Edmonton construction and contracting company. In March 2018, a film company fell victim to a BEC scam that caused the loss of $21 million. And law firms are no stranger to this type of scam: in 2017, an associate at a law firm in Canada was duped by a spear-phishing email into transferring more than $2.5 million into a scammer’s account.
BEC scams are particularly effective because they are often designed to evade standard security mechanisms such as spam filters and anti-malware software. Scammers spend time researching victims prior to the attack; utilizing information obtained from company websites, social media, online articles, or the dark web, to find information on company executives, employees, corporate structure, and supply chain vendors. Scammers may infiltrate a company’s network in advance using malware to monitor information about the company and its billing and payment procedures. Scammers utilize sophisticated social engineering techniques in their emails, which are generally more personalized and well written, with no spelling or grammatical errors, making them appear authentic to unsuspecting victims. The criminals then target employees with access to company finances and send emails that appear to come from company executives or customers, pressuring employees to act quickly.
Construction companies should also be aware of another type of cyber threat known as malware, a type of malicious software designed to disrupt, damage, or gain unauthorized access to a computer system. Malware can include viruses, worms, trojans, spyware, and ransomware. Like a BEC attack, malware attacks are frequently launched through phishing scams but may also be launched through unpatched software vulnerabilities or by clicking on compromised links containing harmful executable files. Malware can cripple an organization and cause millions of dollars in damages, loss of productivity, and reputational harm. A recent example in the construction industry was in 2017, when French multinational construction material manufacturer Saint-Gobain fell victim to the destructive malware NotPetya, causing losses estimated at ‚¬220 million in sales and ‚¬65 million in operating income.
Simply put, the more internet connected devices a company utilizes, the greater the risk to its systems. Malware can be introduced into company’s systems not only through desktop computers, but also through interconnected mobile devices such as tablets, laptops, smart phones, and even USB drives. If construction employees in the field are not properly trained, they may inadvertently open email attachments that contain harmful executable files, respond to spear-phishing emails, click on malicious pop ups, or unwittingly connect USB drives containing malicious code to company systems.
While construction companies may not store the types of information normally associated with cyber-attacks, such as large volumes of credit card information or financial records, construction companies do possess other information of interest to cyber criminals, including employee personally identifiable information (PII), federal tax information, architectural drawings and building specifications, company financial account information, bid and contract documentation, and covered defense information (CDI).
Ultimately, however, it may not be the construction company itself cyber criminals are after. In a recent example, the Wall Street Journal reported in 2019 that a construction contractor in Oregon fell victim to a cyberattack that was likely part of a larger scheme to obtain access to an electrical utility company. According to the report, because the contractor was a “soft” or easy target, it had no reason to be on alert against a cyberattack. This report highlights the common practice of hackers to utilize third-party entities as a platform to launch attacks on the intended target such as a large corporation, or, as in this case, a utility company or the government. These types of incidents underscore the importance for companies to exercise due diligence in their cybersecurity practices, including the verification of third-party vendors who have access to company systems.
III. Increased Risk = Increased Liability
As the use of technology in the construction industry increases and the risk of cyberattacks along with it, construction companies are taking on increased liability for these attacks in their contracts. Modern construction contracts are frequently written to address these risks and shift liability to the party at fault. As a result, construction companies must carefully analyze contracts to understand their responsibilities concerning data privacy and security. Failure to do so can expose the company to significant liability.
For example, at the federal level, the Federal Acquisition Regulations (FAR) clause 52.204-21 Basic Safeguarding of Covered Contractor Information Systems, requires contractors to implement minimum security controls to protect covered contractor information systems. Additionally, contractors who have access to CDI must comply with Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires contractors to provide adequate security measures on all covered information systems that process, store, or transmit CDI in accordance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. State contracting provisions may also contain their own data privacy and security requirements as well. In the private sector, provisions addressing data privacy and security are also utilized in standard construction industry forms from organizations such as the American Institute of Architects (AIA) and ConsensusDocs.
- Protective Measures
While some contract provisions such as DFARS clause 252.204-7012 require construction contractors to implement specific measures to protect information from unauthorized access, other provisions may not, and instead require contractors to implement “reasonable” or “industry standard” measures that are adequate to protect against these threats.
The following are some specific measures construction contractors can take to reduce their risk of falling victim to a BEC scam or becoming infected by malware:
- Keep all software and systems patched and up to date with their latest versions, including reliable anti-malware software, to reduce likelihood of malware infection.
- Implement a comprehensive information security program that addresses information availability, confidentiality, and integrity.
- Implement and practice an effective disaster recovery and business continuity plan, including regular data backups in the event of a malware attack.
- Limit network access based on users’ roles.
- Secure all networks, ports, routers, and firewalls to prevent unauthorized access.
- Monitor use of all mobile devices and external media and prohibit use of personal devices on company systems, or, if that is infeasible, restrict use through an appropriate bring-your-own-device (BYOD) policy.
- Provide regular employee training that includes threat identification such as recognizing BEC scams and other social engineering techniques as well as general internet safety.
- Consider purchasing cyber liability insurance that adequately addresses company risk.
While no measures can completely eliminate the risk of BEC scams and malware, fostering a culture of company awareness, employee training, and appropriate planning, can help construction contractors reduce their overall risk of falling victim to these and other threats.
The contents of this column are intended to be for information purposes only and does not constitute legal advice.
 See Marc Stiles, Turner Construction Data Breach Exposes Hundreds In Washington To Possible Fraud (April 11, 2016), https://www.bizjournals.com/seattle/blog/techflash/2016/04/turner-construction-data-breach-exposes-hundreds.html
 See Caley Ramsay, MacEwan University Defrauded of Nearly $12Million in Phishing Scam (August 31, 2017), https://globalnews.ca/news/3710654/macewan-university-loses-nearly-12m-in-phishing-scam/
 See Mathew J. Schwartz, French Cinema Chain Fires Dutch Executives Over €˜CEO Fraud’ (November 13, 2018), https://www.bankinfosecurity.com/blogs/french-cinema-chain-fires-dutch-executives-over-ceo-fraud-p-2681
 See Scott Flaherty, Dentons Lawyer Wired $2.5 Million to Scam Bank Account in Elaborate Con (January 22, 2019), https://www.law.com/americanlawyer/2019/01/22/dentons-lawyer-wired-2-5-million-to-scam-bank-account-in-elaborate-con/
 See Rebecca Smith and Rob Barry, America’s Electric Grid Has a Vulnerable Back Door—and Russia Walked Through It (January 10, 2019), https://www.wsj.com/articles/americas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112