The construction industry has become a top target for cybercriminals, with over $1.2 billion in real estate-related BEC losses reported in 2023 alone, according to the FBI. Business Email Compromise (BEC) scams — where attackers impersonate vendors, contractors, or executives — are especially devastating, exploiting the large, frequent transactions that construction projects require.
For CFOs, finance managers, and AP teams, the stakes couldn’t be higher. A single fake invoice, hacked email, or forged payment request can lead to massive financial losses, reputational damage, and operational disruptions.
Here are six real-world BEC scams that hit construction companies worldwide — a wake-up call for stronger cybersecurity and payment controls.
A Minnesota developer, Beck Properties, lost $735,000 in a BEC scam after cybercriminals—potentially insiders—manipulated an executive’s email and forged a notary’s approval to reroute a payment. The funds, meant for subcontractors, were transferred to an unknown Capital One account and have not been recovered.
Beck is now suing its general contractor (R.J. Ryan) and escrow agent (FSA Title) for negligence, civil theft, and fraud, arguing that both parties failed to follow proper payment verification protocols. The U.S. Secret Service is investigating.
Despite weekly checks for unauthorized access, R.J. Ryan only realized the fraud a month later—after unpaid subcontractors filed liens. The lawsuit claims R.J. Ryan’s lack of email security and employee training contributed to the breach.
Elkin Valley Baptist Church in North Carolina spent over a decade saving for a new worship center, only to lose $793,000 in a BEC scam just months after breaking ground.
The church’s financial secretary, believing they were following legitimate instructions from their construction company, wired the payment to fraudsters who had infiltrated email communications. The scam went unnoticed until the real construction company followed up a week later saying they never received the funds.
Despite FBI and cyber forensics investigations, much of the money remains missing. The church is now forced to take out a loan to complete the project, despite originally planning to build debt-free.
The city of Athens, Ohio, fell victim to a BEC scam, losing $721,976 after cybercriminals impersonated a trusted contractor, Pepper Construction Company.
The scammers sent emails from a nearly identical domain name and submitted a fraudulent electronic payment authorization form, tricking city officials into transferring funds via ACH. By the time the fraud was discovered, the money had already been sent.
Athens officials acted quickly, attempting to recall the funds and filing a lawsuit to track and freeze the stolen money. However, recovering funds from BEC scams is notoriously difficult, often leaving victims with massive financial losses and little recourse.
A massive BEC scheme led by Erick Jason Victoria-Brito and a team of fraudsters stole over $60 million from small businesses, nonprofits, local governments, and corporations over five years.
The group created thousands of fake businesses and bank accounts, tricking companies—including a major sports team and a publicly traded healthcare firm—into wiring funds to fraudulent accounts. The stolen money was funneled to banks in China, making recovery nearly impossible.
Victoria-Brito was extradited from the Dominican Republic and faces up to 50 years in prison. This case is a clear example of how BEC scams continue to evolve and become more sophisticated, targeting organizations of all sizes.
A new Houston doggy daycare lost over $250,000 to a BEC scam before it could even open its doors. The scammer impersonated a trusted construction company, using a nearly identical email address—just one small spelling difference—to trick the business owner into wiring funds to a fraudulent bank account.
The victim had successfully made two previous payments to the real vendor, making the third invoice seem routine. Unfortunately, by the time she realized the fraud, the money was gone. The business owner has since switched to hand-delivering checks to prevent further fraud.
A construction company in Victoria, Australia, narrowly avoided a $900,000 loss after falling victim to a BEC scam. The fraudsters hacked into a supplier’s email account and sent a fake invoice that appeared legitimate—except the bank details had been changed.
The scam was only discovered when the supplier followed up on payment, and by then, the money had already been transferred. Fortunately, Bendigo and Adelaide Bank’s customer protection team was able to recover over $897,000, saving the business from catastrophic losses.
As seen in these six cases, anyone—from large corporations to small businesses, nonprofits, and government entities—can fall victim to BEC attacks. The financial and operational consequences of these scams can be devastating, leading to project delays, legal battles, and in some cases, irrecoverable financial losses.
The good news is that BEC is preventable with the right security measures. To mitigate risk, finance teams must prioritize cybersecurity, implement multi-step payment verification protocols, and stay vigilant against suspicious email activity. Verifying payment details directly with vendors via a trusted phone number—not just email—can be the difference between a secure transaction and a financial disaster.
Nonprofits are prime BEC targets—see real attacks and what finance leaders must do to protect funds, data, and mission-critical operations.
Manufacturers are top targets for BEC scams. See 6 real cases that expose how attackers steal millions—and what finance teams must do to stay protected.
See how 5 real BEC scams stole millions from healthcare orgs—what finance leaders must know to stop attacks that target payments, data, and operations.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.
