Fraudulent Payment Schemes
Targeting Construction and Real Estate Industries
It has become commonplace in the real estate and construction industry to make electronic, digital, and wired payments, especially with the very large sums that are often transferred. With paper checks disappearing, cybercriminals are now targeting these industriesâ€”victimizing both payors and payeesâ€”and causing significant financial tension and reputational harm. As evidenced by a recent FBI bulletin specifically warning the construction industry, fraudsters have become increasingly sophisticated, hacking into e-mail servers, posing as escrow agents or company employees, intercepting wire transfers before the payee or payor even realize it. The author discusses the schemes that are now used to commit fraud and implementation of proactive controls used to limit fraud in these industries.
It has become commonplace in the real estate and construction industry to make electronic, digital, and wired payments, especially with the very large sums that are often transferred. With paper checks disappearing, cybercriminals are now targeting these industriesâ€”victimizing both payors and payeesâ€”and causing significant financial tension and reputational harm. As evidenced by a recent FBI bulletin specifically warning the construction industry, fraudsters have become increasingly sophisticated, hacking into e-mail servers, posing as escrow agents or company employees, intercepting wire transfers before the payee or payor even realize it.
Business e-mail compromise (BEC) is one of the most common scams to rob the construction project. The cyber criminals first start with breaching the security of the potential recipient of the payment, i.e., in construction, owners pay general contractors who pay subcontractors. The cybercriminal will then secretly worm around the contractorâ€™s server looking for the accounting-type person who is charged with monitoring invoices and payments. Then the cybercriminal will carry out a BEC where cyberthieves compromise e-mail accounts and manipulate payors into sending wire transfers to the thieves instead of the payee by using either a false invoice or requesting payments to a fraudulent bank account. This is done by sending a familiar looking e-mail (i.e., changing one similar letter in the e-mail address) telling the payor to transfer the money to a different account. If the payee does not notice the slight difference in the e-mail and follows the cyber criminalsâ€™ instruction, the money is wired to the thievesâ€™ foreign bank account. Here, because the cyberthieves are attacking the network itself, it is extremely difficult for companies to detect the threat until the money does not show up as expected. Such schemes result in dual victimization: leaving the payee without payment, the payor possibly having to pay twice, and both parties questioning where the liability falls, causing extreme tension on what was once a strong business relationship.
It is imperative that construction and real estate industry professionals are proactive in reducing the risk of becoming victims of cybercriminals. Here are some risk management tactics:
Contract Upgradeâ€”First and foremost, all contracts should be reviewed and upgraded to ensure inclusion of (1) exact language on how payments need to be submitted to the legitimate payee and (2) assignment of responsibility and perhaps indemnification if this process is not followed. Most existing contract templates are woefully silent on this risk.
Insuranceâ€”Second, insurance policies need to be evaluated, as many insurance products do not cover this type of loss. Additional coverage such as social engineering fraud, network security liability, and invoice manipulation protection should be analyzed to complete a gap analysis, as many commercial crime insurance policies will not cover BEC losses. Cyber loss insurance carriers are predictably responding to the increased risk with higher premiums, larger deductibles, narrower coverage, and lower limits. Contractors should work with their internal risk manager and outside brokers to assess this coverage and risk.
Internal Processâ€”Finally, internal procedures and security programs need to be assessed to confirm company computer security systems will be deemed commercially reasonable in the event of litigation. Where the partiesâ€™ contracts are silent, case law has held the party who was in the best position to prevent the cyber theft may be held responsible, which may come down to whether your computer security meets commercial standards. Moreover, a people-centric, multi-layered defense with training should be internally implemented to prevent, detect, and respond to this specific type of fraud. For example, training employees to examine new or changed wire instructions and examine business e-mail addresses for spelling, grammar, and word usage as well as requiring telephone confirmation of payment instructions can also be helpful in mitigating risk.
A proactive approach to counteract the threat of fraudulent cyber payment is the only way to prepare for and reduce the potential cost of victimization. Updating contract clauses to specify whether the payor or payee bears the risk of loss in the case of fraudulent transfer of funds to a fake payee, identifying how to submit payment to the legitimate payee, and/or requiring a reasonable security program can help protect both parties. Additionally, analyzing current and sample insurance policies and endorsements to check for social engineering fraud, invoice manipulation, and network security coverage, as well as policy limits applying to such coverage and how the excess coverage will apply is also imperative for protection in the event your company is targeted by cybercriminals.
 Cyber Actors Impersonating Construction Companies to Conduct Business Email Compromises, Federal Bureau of Investigation, Cyber Division (June 9, 2021), https://www.cirt.org/resources/Documents/PIN_20210609-001.pdf.
 Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., 759 F. App’x 348 (6th Cir. 2018).
This article was previously published in Michael Best & Friedrich LLP, Lexology, August 03, 2022, and is republished here by permission.
Roy E. Wagner is a Partner in the firmâ€™s Real Estate practice group and leads the firmâ€™s Construction Law group. He has more than 30 years of experience in the construction industry. He leverages his expertise to serve as a tactical advocate for his clients and helps them navigate a range of issues affecting the construction industry. Mr. Wagner provides strategic representation and counsel on real estate, commercial, and construction matters, including assisting owners, real estate and design professionals, contractors, and developers in facilitating their projects and strategically solving their legal disputes such as construction and design defect claims, professional liability claims, delay, disruption and/or acceleration claims, extra work claims, and mechanic lien claims. His in-depth knowledge of construction-related insurance coverage issues further enables him to help clients resolve claims.
Mr. Wagner can be contacted at (414) 270-2707 or by e-mail to email@example.com.