Criminals are weaponising vulnerabilities in Australia's construction industry to steal millions of dollars via Business Email Compromise (BEC) scams.
AFP Assistant Commissioner Cyber Command Richard Chin said the AFP was tracking a concerning rise across the industry in BEC scams. These involve cybercriminals impersonating a business or its employees via email to deceive victims into redirecting legitimate payments to fraudulent accounts.
"The construction sector, with its high-value transactions and complex subcontracting chains, has become an attractive target for organised cybercrime groups operating both domestically and offshore," Assistant Commissioner Chin said.
"Unfortunately, victims often don't realise they've been defrauded until it's too late and the funds have already been moved through multiple international accounts.
"We're all busy and it's easy to rush through tasks, but when it comes to payments, taking a moment to stop and verify can be the difference between protecting your hard-earned cash and becoming a victim to cybercrime.
"No matter how legitimate a request may appear, always confirm payment instructions through a secondary communication channel, such as a trusted contact you've previously engaged with.
"Cybercrime prevention is a shared responsibility, and even small steps can stop significant financial losses.
"The AFP is working closely with industry partners, state, territory and international law enforcement, and financial institutions to disrupt these criminal syndicates. Through initiatives such as Operation Dolos, we are actively identifying offenders and recovering stolen funds where possible."
Scammers stole more than $152.6 million from Australians using BEC attacks in 2024. This was an increase of 66 per cent from 2023, which reported $91.6 million in losses according to the Targeting Scams report by the National Anti-Scams Centre.
This puts BEC scams among the top three self-reported cybercrimes for business in Australia, accounting for 13 per cent of all reports according to data from ReportCyber.
The AFP established the multiagency taskforce Operation Dolos in January, 2020, to target the growing threat of BEC. It comprises the JPC3, state and territory police, Australian Criminal Intelligence Commission, Australia Cyber Security Centre, AUSTRAC and the financial sector.
The construction industry is a prime BEC target due to its high-value transactions, frequent invoicing, and often limited cybersecurity resources - especially among small, family-run businesses. Many operators lack dedicated finance teams and are time-poor, making them vulnerable to sophisticated scams that exploit trust and urgency.
These attacks use advanced social engineering, real-time surveillance, and psychological manipulation to bypass even the most cautious targets. They mimic tone, formatting and internal processes with alarming precision, sometimes even referencing previous legitimate communications which criminals may have intercepted.
Cybercriminals are also using sophisticated malware to carry out BEC scams.
hese viruses infect devices when someone clicks a malicious link or opens a fake attachment. They run quietly in the background, often without triggering antivirus alerts. They capture login details for email and banking systems, giving criminals access to real business accounts.
Once inside, criminals monitor email conversations and set up hidden rules that automatically forward or delete messages containing keywords such as invoice, purchase, or payment - helping them intercept financial communications.
Using real email accounts, which are often spoofed to replicate the legitimate account, they send convincing invoices with fake bank details, deceiving businesses into sending money to criminal-controlled accounts.
These viruses are designed to avoid detection and can stay active for weeks or months, allowing criminals to plan and execute multiple attacks.
Case studies
New South Wales
A NSW-based construction company received fraudulent invoices totalling $41,800 from criminals who spoofed the email of a trusted supplier. After making the payment, the victim texted the remittance to the supplier using a known mobile number and was told the bank details were incorrect. The victim immediately reported the incident to police via ReportCyber, who were able to recover the full amount.
South Australia
A conveyancing firm in South Australia was targeted in another BEC scam. A client overseas was settling a property and received a fraudulent invoice for $338,000 after the conveyancing firm's email was compromised. The AFP's Operation Dolos, acting on information from international partners, intercepted the payment and recovered the full amount for the victim.
Tasmania
A Tasmanian woman had $120,000 stolen after scammers intercepted her email correspondence with a construction company she had hired to renovate her home. Using a spoofed email address that closely mimicked the legitimate business, the criminals claimed the company had updated its banking details and sent a new invoice. The invoice was an exact replica of the original - except the payment details had been replaced with the scammers' account. Due to a delay in reporting, the money was not recoverable.
Queensland
Scammers targeted an organisation using a combination of sophisticated technical and social engineering techniques. The scammers impersonated a legitimate construction company and appeared to have detailed knowledge of its relationship with the organisation, indicating that extensive research had been carried out. Investigations identified this matter, and other similar offences have links to offshore syndicates, revealing the borderless nature of this crime type. While some funds were recovered, total losses amounted to more than $1 million.
How to protect yourself
To defend against BEC scams, follow these best practices:
- Verify payment requests through a trusted contact, not via phone numbers or emails listed in the invoice. Even if the request comes from the business' 'finance team', confirm directly with your trusted contact.
- Implement ACSC's Essential Eight mitigation strategies to strengthen your cyber posture.
- Contact your financial institution immediately if you believe you've made an incorrect payment.
- Report suspicious activity to police via ReportCyber.
The Joint Policing Cybercrime Coordination Centre (JPC3) has launched ClickFit, a cybercrime awareness campaign designed to help Australians recognise the warning signs of scams and take simple steps to protect themselves online.
Being ClickFit is building safe online habits into your everyday digital routine. By regularly updating passwords, enabling Multi-Factor Authentication (MFA), and slowing down before we click, we make it significantly harder for cybercriminals to succeed and easier for people to navigate safely online.
Learn more about the campaign, check your ClickFit-ness level and access the free resources here.
