Your Name on a Fake Invoice: How Attackers Use Construction Companies to Steal from Their Clients — and What That Means for Your Business

THE SHORT ANSWER

A Minnesota developer lost $735,000 when attackers manipulated email communications and rerouted a subcontractor payment. A North Carolina church lost $793,000 because fraudsters impersonated their construction company. The City of Athens, Ohio lost $721,976 to someone posing as Pepper Construction. The construction industry accounts for over $1.2 billion in annual email fraud losses in the US alone. Your firm is exposed from both directions — as the target paying a fake invoice, and as the identity being spoofed to steal from your clients. Either way, the attack starts with one email and an email environment that was never hardened to stop it.

IT Accuracy  |  Managed IT Services, Los Angeles  |  Date: May 1, 2026  |  9 min read

Construction contractor reviewing documents on a laptop at a job site workbench representing email security risks for construction companies

AT A GLANCE

AT A GLANCE

Three organizations lost over $2.2 million combined to attackers who impersonated construction companies and intercepted invoice payments
⚠️Construction firms are exposed from both directions — as the payer of fake invoices and as the identity used to defraud their clients
⚠️Paying a fraudulent invoice does not cancel the obligation to pay the real one — double liability is the standard outcome
⚠️Most construction company domains have no DMARC enforcement — any attacker can send email impersonating your company right now
IT Accuracy implements DMARC at enforcement, MFA on all accounts, and payment verification workflows that stop invoice fraud before any wire moves

The general contractor did not get hacked. Nobody broke into their server. Nobody stole their client list. Attackers simply registered a domain one character off from their company name, created an email address that looked identical at a glance, and used it to intercept a payment that a long-standing client was expecting to make. The client wired the money. The GC never received it. Both parties were victims. For construction companies in Los Angeles, where active projects, rotating subcontractors, and high-value billing cycles are the norm, this is not a distant threat. It is an active one. Construction email security in Los Angeles starts with understanding how the attack works before it reaches your billing cycle.

Three Real Cases. Three Different Victims. The Same Attack.

The documented cases of construction-related email fraud share a consistent structure: an attacker inserts themselves into a trusted payment relationship, swaps the bank details, and the money moves before anyone realizes the email was fake. What varies is who bears the loss.

 

Developer as Victim — United States

Beck Properties and Ryan Companies — Minnesota

$735,000

not recovered

Attackers manipulated email communications between Beck Properties and its general contractor R.J. Ryan, ultimately rerouting a subcontractor payment to an unknown Capital One account. The fraud was only discovered a month later when unpaid subcontractors filed liens. Beck is now suing both the general contractor and the escrow agent, alleging that R.J. Ryan’s lack of email security and employee training contributed to the breach. The US Secret Service is investigating. None of the funds have been recovered.

 

Client as Victim — United States

Elkin Valley Baptist Church — North Carolina

$793,000

largely unrecovered

The church had spent over a decade saving for a new worship center. After breaking ground, attackers infiltrated email communications between the church and its construction company. The financial secretary, believing she was following legitimate instructions from the construction firm, wired the full payment to a fraudulent account. The fraud was not discovered until the real construction company followed up a week later. The church was forced to take out a loan to complete the project it had planned to build debt-free. FBI and cyber forensics investigations recovered only a fraction of the funds.

 

City Government as Victim — United States

City of Athens, Ohio — impersonating Pepper Construction

$721,976

stolen via email impersonation

Attackers created a domain nearly identical to that of Pepper Construction Company, a legitimate and established contractor working with the city. Using that spoofed domain, they sent invoices and payment instructions that appeared to come from the real firm. The city processed the payments. Pepper Construction had done nothing wrong — their identity was the attack vector, not their systems. The city absorbed the loss. Pepper’s client relationship was disrupted regardless.

Three cases. A developer. A church. A city. Combined losses of over $2.25 million across incidents where the common denominator was the construction billing relationship. In the Elkin Valley and Athens cases, the construction firm itself was not the direct financial victim. But their name, their domain, and their trusted relationship with the client was the weapon. That exposure does not require your systems to be breached. It requires your domain to be spoofable — and most construction company email environments are.

Why Construction Is the Perfect Target

Email fraud targeting invoice payments is not randomly distributed. It concentrates where the conditions favor it: high transaction values, multiple simultaneous vendor relationships, time pressure on billing cycles, and an email-centric culture where payment changes are communicated routinely. Construction checks every box — and in a market like Los Angeles, where GCs regularly run multiple concurrent projects across different neighborhoods and trade relationships, the attack surface is especially wide.

A general contractor running three active projects may be managing invoices from twenty or thirty subcontractors simultaneously. Framing, concrete, electrical, plumbing, HVAC, roofing — each with their own billing cycle, their own contact at accounts payable, and their own history of prior payments that establishes credibility. When an invoice arrives at the expected time for approximately the expected amount from what appears to be the expected sender, it does not get scrutinized. That is the gap the attack lives in.

The subcontractor relationship structure creates a second exposure that most GCs have not thought through. Attackers do not need to compromise your systems to steal from you. They can compromise a subcontractor’s email account, monitor the billing relationship, and insert a modified invoice at the moment a payment is due. The payment goes to a criminal account. The real subcontractor calls asking why they have not been paid. You are now liable for both the fraudulent payment and the original invoice. Email security configured for construction environments in Los Angeles means closing this gap at both ends of the relationship — protecting your domain from being used to defraud your clients, and protecting your inbox from being monitored to defraud you.

The double liability nobody talks about

When a construction company pays a fraudulent invoice, it is still legally obligated to pay the real one. The fraud does not extinguish the underlying contract. A $200,000 payment intercepted by an attacker leaves the firm owing $200,000 to the real subcontractor on top of the loss. That double exposure is why the true cost of a single incident almost always exceeds the intercepted payment amount.

THE EMAIL FRAUD NUMBERS THAT DEFINE CONSTRUCTION'S EXPOSURE

Real estate and construction BEC losses in 2023

$1.2B

Reported to the FBI — among the most targeted sectors in the country

Average BEC claim cost in 2024

$183,000

Up from $84,000 in 2023 — a 118% increase in a single year

Vendor email compromise increase in 2023

137%

Year over year, with construction among the most affected industries globally

How the Attack Works: From Your Domain to Someone Else's Bank Account

Understanding the mechanics makes it clear why most construction companies have no idea how exposed they are. The attack does not require any technical sophistication on the attacker’s part or any mistake on your part — beyond having an email environment that was set up without the specific controls that prevent spoofing.

HOW A CONSTRUCTION INVOICE FRAUD ATTACK UNFOLDS STEP BY STEP

01

Your company is identified as a target identity

Attackers search public permit records, LinkedIn, your website, and Procore or similar platforms for information about your active projects, client relationships, and billing contacts. They identify which clients owe you money and when payments are typically due. This takes under an hour.

02

A lookalike domain is registered

yourgcfirm.com becomes yourgc-firm.com, or yourgcfirms.com, or yourgcfirm.net. The difference is invisible in a busy inbox or on a mobile device. Because most construction company domains have no DMARC enforcement, the receiving mail server has no way to reject email impersonating your domain. It arrives in the client’s inbox as legitimate-looking correspondence.

03

A timed invoice is sent to your client

An invoice arrives in your client’s AP inbox at the expected point in the billing cycle, formatted identically to prior legitimate invoices, for an amount consistent with the project scope. The only change is the bank account or wire instructions. The email explains this plausibly: a new banking partner, an accounting system migration, a treasury management change.

04

The client processes payment to the fraudulent account

The AP clerk or project manager approves the payment. It matches an expected vendor and an expected amount. The funds move to a criminal-controlled account, often overseas. The attacker immediately begins moving the money onward through layered accounts to make recovery nearly impossible.

05

You discover it when your client asks why you have not invoiced yet

Or when they say they already paid. At that point the client relationship is damaged regardless of who absorbs the loss. In the Athens and Elkin Valley cases, the real construction firm had done nothing wrong — and still had to manage the aftermath of their name being used to commit fraud against someone who trusted them.

Construction workers reviewing invoice spreadsheet on a laptop representing billing and payment fraud risks for construction companies

The Controls That Stop It Before Stage Three

Every stage of this attack has a corresponding control. None require exotic technology. All require deliberate configuration that most construction company email environments have never received.

The most important is DMARC at enforcement. SPF, DKIM, and DMARC working together at enforcement policy tell receiving mail servers to reject email that claims to come from your domain but cannot pass authentication. This directly stops the lookalike domain spoofing scenario that enabled the City of Athens attack and the Elkin Valley Baptist Church attack. A client whose mail server checks DMARC would have seen those emails rejected before they reached anyone’s inbox. Most construction company domains have no DMARC policy at all, which means any attacker can register a lookalike domain and send email that appears to come from your company with nothing to stop it. IT Accuracy’s email security service implements and maintains DMARC at enforcement as a baseline deliverable for every client.

The second control is MFA on every email account. The Beck Properties case involved email communications being manipulated — which in higher-sophistication attacks means the attacker gained access to a real inbox and monitored it before acting. MFA stops that. A stolen or phished password does not get an attacker into the inbox if accessing it requires a physical device they do not have. Every email account involved in project billing, client communication, and subcontractor coordination should require MFA. Many construction firm email setups, particularly accounts accessed from job site tablets or shared project management inboxes, do not enforce this. This is part of the security posture IT Accuracy’s cybersecurity assessment covers for construction clients.

The third control is a payment change verification protocol. No technology required — just a written policy stating that any change to payment details must be confirmed by a callback to a number already on file in your accounting system. Not a number in the email. Not a callback to the number provided in the change request. One rule, communicated to every person with AP access, stops the majority of invoice fraud attempts before any wire moves.

The construction industry is a prime target due to its high-value transactions, frequent invoicing, and often limited cybersecurity resources, especially among small, family-run businesses. Cybercriminals monitor email conversations, set up hidden rules that automatically forward messages containing keywords like invoice or payment, and use this access to execute fraud over weeks without detection.

Australian Federal Police, Operation Dolos advisory on business email compromise in the construction sector, October 2025

What Your Firm Can Do Before the Next Invoice Goes Out

You do not need a full IT engagement to close the most critical gaps. Construction email security in Los Angeles does not start with a six-month project. There are three things you can verify or implement immediately that address the primary vectors illustrated by all three cases above.

Three immediate actions for construction firms — do these before the next billing cycle

1

Check your DMARC policy today. Go to mxtoolbox.com and enter your company domain. If DMARC is missing, set to “none,” or set to “quarantine” rather than “reject,” attackers can send email impersonating your company to your clients right now with no technical barrier. This is the gap that enabled the City of Athens attack. Your IT provider should be able to move this to enforcement within a day. If they cannot tell you what your DMARC policy is, that is itself the answer.

2

Enforce MFA on every email account your team uses for client and subcontractor communications. This includes accounts accessed from job site tablets, shared project inboxes, and any account that has not been reviewed since it was originally set up. If any account can be accessed with a username and password alone, a phished or purchased credential is all an attacker needs to monitor your billing relationships silently for weeks. The Beck Properties attack involved email manipulation that MFA would have significantly complicated.

3

Write and communicate a bank account change policy. One sentence is enough: no change to payment details will be acted on without a verbal confirmation using a number already on file in your accounting system. Every person with AP access at your firm needs to know this rule exists. The Elkin Valley Church loss could have been stopped at this step. The clerk was following what appeared to be legitimate instructions. A protocol requiring a callback to a known number would have revealed the fraud before the wire moved.

Your clients may hold you responsible even if you are the identity victim

In the Elkin Valley and Athens cases, the real construction firm bore significant reputational and relationship damage even though their systems were not compromised. Clients who lose money to a fraudster impersonating your company may pursue legal claims based on the argument that your domain was spoofable and your email environment had no authentication controls. DMARC at enforcement is increasingly cited in these disputes as the standard of care that a legitimate business should have in place.

Construction team reviewing blueprints and laptop at a conference table representing cybersecurity protocol review for construction firms
 

HOW IT ACCURACY PROTECTS CONSTRUCTION COMPANIES FROM INVOICE FRAUD

Email security and network controls that stop payment fraud from both directions

IT Accuracy implements and manages the email authentication controls that prevent your domain from being used to defraud your clients, and the inbox security controls that prevent attackers from monitoring your billing relationships to defraud you. We start with a complete audit of your current email environment, close the authentication gaps, and establish ongoing monitoring.

For construction companies with active subcontractor and client relationships across multiple projects, we also review your vendor communication protocols and help establish the payment verification workflows that stop fraud at the process level before any technical control is needed.

 

SPF, DKIM, and DMARC configured at enforcement — stopping domain spoofing cold

 

MFA enforced on all accounts including shared project inboxes and site-accessed email

 

Advanced email filtering with lookalike domain detection and invoice anomaly flagging

 

Network segmentation protecting project management systems from general access

 

Email continuity and backup so operations continue if an account is compromised

 

Help desk support that understands construction workflows and field-to-office connectivity

NETWORK SECURITY TOPIC CLUSTER

IT Accuracy Industry Page

IT Services for Construction Companies in Los Angeles

IT Accuracy Service

Email Security and Continuity Services for Los Angeles Businesses

IT Accuracy Service

Cybersecurity and Penetration Testing Services

IT Accuracy Service

Network Services and IT Consulting in Los Angeles

IT Accuracy

Managed IT Services — Los Angeles, CA

IT Accuracy provides cybersecurity and security awareness training, managed network services, cloud solutions, and help desk support for businesses across Los Angeles and nationwide.