That Invoice Might Be a Trap: How Construction and Manufacturing Companies Lose Millions to Email Fraud
Imagine this: somebody in your accounting department gets an email from a vendor asking to update their bank account details before the next payment goes out. The email looks normal. The language is professional. The timing makes sense because there's an outstanding invoice due this week. So the AP clerk processes the change, the payment goes out on schedule, and the money vanishes into an account controlled by someone on the other side of the world.
This is business email compromise, or BEC, and it's one of the most financially destructive cyberattacks in the world right now. The most upsetting part is that it isn’t dependent on sophisticated malware or dramatic system shutdowns. It exploits the way people work: fast, trusting, and mostly by email.
The Numbers Behind the Threat
The FBI's Internet Crime Complaint Center logged close to $2.8 billion in BEC losses in 2024 alone. Over the past three years, BEC-related losses reported to the FBI total nearly $8.5 billion (FBI IC3 2024 Annual Report). The Association for Financial Professionals found that 63% of organizations experienced BEC last year (AFP 2025 Fraud and Control Survey).
And it's accelerating. LevelBlue SpiderLabs documented a 15% increase in BEC attacks in 2025 compared to the prior year, with their systems intercepting over 3,000 BEC messages per month on average (LevelBlue). Separate research from Hoxhunt found that BEC attacks accounted for 73% of all reported cyber incidents in 2024 (Eye Security / Hoxhunt).
Those are real dollars leaving real companies, often in a single, fraudulent, transaction.
Why Construction and Manufacturing Get Hit the Hardest
If you work in construction or manufacturing, your industry has a target on its back. According to VIPRE's Q3 2024 Email Threat Report, manufacturing is the single most-targeted industry for BEC attacks, accounting for 27% of all incidents (VIPRE). Abnormal Security found that 92% of manufacturing organizations reported being targeted by advanced email attacks, with 73% suffering at least one successful attack in the past year (Abnormal Security / Industrial Cyber). BEC attacks on manufacturers jumped 56% year-over-year, and phishing attacks against the sector rose by more than 80%.
Construction is in equally rough shape. BEC scams tied to the construction industry accounted for over $1.2 billion in losses during 2023 (Bernstein Shur). Between 2023 and 2024, nearly 500 construction organizations were listed on data-leak websites, a jump of more than 30% from the year before.
Both industries move large sums of money through complex webs of vendors, subcontractors, and suppliers. Payments are frequent, high-value, and time-sensitive. People are answering emails from jobsites, factory floors, and trucks. As construction law firm Babst Calland put it: "Few industries move money with the frequency, speed, and decentralization of construction... lots of money moving quickly, through lots of hands, via communication channels designed for convenience, not security" (Babst Calland).
Real Companies, Real Losses
These scams don't just affect Fortune 500 firms. They hit companies of every size.
Orion Engineered Carbons, a global chemical manufacturer, reported a $60 million loss from BEC in an SEC filing after a non-executive employee was tricked into completing a series of fraudulent wire transfers (Eftsure).
FACC AG, an Austrian aerospace parts manufacturer, lost $47 million when fraudsters impersonated the CEO via email and convinced a finance employee to wire money for a fictitious acquisition.
Toyota Boshoku Corporation, a major Toyota supplier, lost $37 million after an employee was persuaded to change account details on an electronic funds transfer.
On the construction side, a government entity lost $670,000 when scammers created a fake email domain mimicking a construction vendor. The only difference in the domain name was a single character: an uppercase "I" swapped for a lowercase "l." The government's AP clerk processed the bank account change, and payments were rerouted to the scammer's account. Only $240,000 was recovered (Delta Consulting Group / Lexology).
Even smaller firms aren't spared. A demolition company with fewer than 50 employees had its email compromised, leading to a $56,000 invoice payment being intercepted and sent to a fraudulent account. The vendor who paid the fake invoice didn't have cyber insurance, so the loss was split between the two companies (Coalition).
How These Scams Work
BEC doesn't require breaking through a firewall or planting ransomware. The attacker's primary tool is patience and impersonation. Here's the typical playbook:
Step 1: Get In and Watch
Attackers gain access to an email account through a phishing link or stolen credentials. Then they sit quietly, sometimes for weeks or months, monitoring email threads and studying how the company handles payments. They learn who approves invoices, what vendors are active, and when big payments are due.
Step 2: Strike at the Right Moment
Once they understand the rhythm of the business, they act. They might send an email from a compromised account asking a vendor to redirect a payment. Or they create a lookalike domain and impersonate a supplier requesting a bank account change. The emails often arrive mid-project, referencing real invoices and real conversations. LevelBlue SpiderLabs noted that fraudsters increasingly create fake email threads with multiple personas, making it look like an executive and vendor are both involved in the request (LevelBlue).
Step 3: Apply Pressure
Approximately 75% of BEC attacks demand action within 24 to 48 hours, using language like "Urgent," "ASAP," or "Past Due" to short-circuit careful review (Hoxhunt). In construction and manufacturing, where delayed payments can stall projects or halt production lines, that urgency feels completely plausible.
And the scams are getting harder to spot. An estimated 40% of BEC phishing emails are now AI-generated, producing polished, error-free messages that don't have the telltale grammar mistakes people used to rely on as warning signs.
Practical Steps You Can Take Now
You don't need a Fortune 500 IT budget to protect your company. Most of the defenses that stop BEC are procedural, not technical.
- Verify payment changes by phone. Any request to change bank account information or wire instructions should be confirmed through a phone call to a known, previously established number. Not the number in the email. This single step would have prevented nearly every case described above.
- Require dual approval on wire transfers. No single person should be able to authorize a large payment without a second set of eyes. This is especially important for construction companies processing draw requests and progress payments.
- Train your team on what these attacks look like. BEC emails don't look like the spam most people expect. They look like normal business correspondence. Regular training that uses realistic examples, like a fake subcontractor invoice or a spoofed vendor bank change request, prepares people for the threats they'll actually face. New employees are particularly vulnerable. Attackers specifically target people in their first two to seven weeks on the job because they haven't yet learned the communication patterns of their colleagues.
- Implement email authentication protocols. DMARC, SPF, and DKIM are tools that help prevent attackers from spoofing your company's email domain. They won't stop every attack, but they make impersonation significantly harder. As of 2025, email authentication has moved from best practice to a baseline expectation.
- Enable multi-factor authentication on every email account. MFA won't prevent someone from sending you a fraudulent email, but it does prevent attackers from breaking into your team's accounts and using them as launchpads for fraud. Data shows that in 2023, 58% of BEC attacks targeted organizations without MFA, but by early 2024, only 25% did, suggesting attackers shifted away from companies that had MFA in place.
- Get a standalone cyber insurance policy. Many construction and manufacturing companies assume their general liability policy covers cyber fraud. It usually doesn't. A standalone cyber liability policy or a social engineering fraud endorsement can be the difference between absorbing a loss and recovering from one.
The Value of Having Someone Watching Your Back
For most construction and manufacturing companies, there's no dedicated security team reviewing email configurations, running phishing simulations, or monitoring for credential leaks. That's the kind of gap where a managed IT services partner makes a real difference, not as an add-on expense, but as a practical extension of your operations.
An MSP can set up and monitor email authentication, deploy multi-factor authentication across your organization, run targeted security awareness training, maintain your incident response plan, and catch suspicious activity before it turns into a six-figure loss. The protection gets baked into your daily operations instead of sitting on a shelf as a policy nobody follows.
Start With a Clear Picture
If you're not sure where your email security stands, or whether your current setup has blind spots that could leave you exposed to invoice fraud, Connecting Point can help you find out. Our Network Discovery assessment gives you a detailed look at your infrastructure, identifies vulnerabilities, and provides a clear roadmap for closing the gaps.
Ready to get ahead of these changes? Contact the Connecting Point team today to review your upcoming infrastructure needs and lock in the best pricing and availability while you still can.
Fill out our Network Discovery Form to get started!
970.356.7224 | www.CPcolorado.com | info@CPcolorado.com
Connecting Point is a trusted IT solutions provider based in Greeley, Colorado, helping businesses across Northern Colorado and beyond navigate technology decisions with confidence.
