$7.7 million fraud: how US BEC scams hit construction and government sectors

What is a BEC scam?

A BEC scam occurs when cybercriminals pose as trusted partners—like vendors or executives—to deceive finance teams into sending money to fraudulent accounts. These scams rely heavily on email hacking and social engineering to make requests appear legitimate.

The Texas scam: A construction firm’s $6 million loss

In Texas, cybercriminals hacked into the email account of a vendor working with a construction firm. They monitored communication between the vendor and the firm for an extended period, waiting for the perfect moment to strike. When a legitimate payment was expected, the attackers sent a fraudulent email, disguised as the vendor, requesting a change in bank details.

The construction firm’s finance team, unaware of the fraud, transferred $6 million to the fraudulent account. By the time the fraud was detected, the money had already been dispersed through multiple accounts, many of them overseas. The complex network of transactions made tracing the funds extremely difficult, and recovery efforts were largely unsuccessful.

The North Carolina scam: $1.7 million diverted from a government entity

In North Carolina, Cabarrus County was targeted by BEC scammers posing as a contractor building a new high school. The scammers sent an email requesting a change in bank details, which the county’s finance department processed without verifying directly with the contractor.

The county transferred $2.5 million to the fraudulent account, but only $776,000 was recovered. This left $1.7 million unrecovered. The funds were quickly dispersed through various accounts, making recovery nearly impossible. This scam was part of a larger nationwide BEC operation targeting various government organisations across the US.

Why are construction and government sectors prime targets?

Construction and government sectors are frequent targets for BEC scams due to their specific operational characteristics:

1. 1. High transaction volumes: These industries handle numerous large payments, creating opportunities for fraudulent invoices to slip through unnoticed. With frequent financial transactions, it becomes easier for scammers to blend fraudulent requests with legitimate ones, increasing the risk of successful BEC attacks.
   2. Complex supply chains: Both sectors often rely on multiple contractors, vendors, and third-party service providers. This complexity makes it challenging to track each payment and verify all financial details, allowing cybercriminals to exploit gaps in communication or procedural weaknesses.
   3. Bureaucratic processes: Government agencies, in particular, have long, bureaucratic approval processes that often create opportunities for fraudsters. The delays in communication and the layers of approval can make organisations more vulnerable when fraudulent payment requests are made to appear urgent.

How finance leaders can protect against BEC scams

Finance leaders should prioritise strong financial controls to protect their organisations from BEC scams. Here are key steps that can help mitigate the risk:

• Implement robust verification procedures: Always verify payment requests—especially when changes to vendor details are involved—through a secondary communication method, such as a direct phone call to the vendor.
• Segregation of duties: Ensure that different individuals are responsible for approving and processing payments. This separation adds an extra layer of security.
• Employee training: Regularly train finance and procurement teams to spot the warning signs of BEC scams. Encourage employees to question any payment requests that seem unusual or urgent.
• Monitoring and auditing: Regularly audit financial transactions and use automated tools to monitor for suspicious payment activity, such as sudden changes in vendor account details.
• Vendor management: Maintain up-to-date records of vendor information and make it standard practice to confirm any requested changes directly with the vendor.