Wire transfers are quickly replacing paper checks as the most common payment method on construction projects nationwide. Using wire transfers or other electronic payment offers convenience to the payor and nearly instantaneous payment for the recipient (especially compared to the days or even weeks of waiting for mailed or collected checks). The benefits of wire transfers, however, come with risks that all construction industry professionals should pay attention to.
One common online attack can have multi-million dollar implications. Here’s the scheme. A hacker uses a phishing attack to access an owner’s or contractor’s computer system and steal information to dupe the payor into wiring money to a fraudulent account. Construction companies are particularly vulnerable to such deception because often the person issuing progress payments works in an office away from the construction site and has little to no direct contact with the payee contractor or subcontractor.
Recently, a hacker using this scheme struck a contractor close to home. Using a contractor’s employee’s name, the hacker created a fake email account that looked like the employee’s address, except it ended in “.us” instead of “.com.” The hacker then told the owner school district that the contractor no longer wanted payments by check, but rather via wire transfer. After the hacker provided the school district with the bank and account number to which it could transfer progress payments, the school district wired a seven-figure progress payment to the fraudster’s account without verifying its validity. This tragic example raises two important questions: (1) how can construction businesses protect themselves from such attacks?; (2) who bears the risk of loss for such attacks?
An upcoming article will explore parties’ legal obligations and liability. But, what measures should construction professionals take now to protect themselves and their business? Here is an overview:
- Bolster IT security systems and protocols by:
- Keeping IT systems and anti-virus software up-to-date.
- Training employees on spotting and avoiding cyber-attacks.
- Never opening attachments from unknown senders.
- Using strong passwords.
- Continuously auditing IT systems for suspicious activity.
- Use caution when discussing sensitive information, such as wire instructions and other financial information by:
- Carefully reviewing emails for any suspicious content, such as requests for passwords and unrequested attachments.
- Checking closely the spelling of names and email addresses, as often a hacker’s fake website or email address will differ by only one character from the true URL.
- Incorporate protections against electronic payment fraud into contracts by including terms that:
- Require formal change orders to alter payment procedures.
- Mandate that the payor must speak directly (and preferably, in person) with the payee’s authorized representative (as identified in the contract) about changing payment procedures.
If you find yourself or your company the victim of wire fraud, immediately alert your bank or other relevant financial institution. Minutes can make the difference between stopping the fraudulent transfer and losing millions. Additionally, payment systems involve complicated programming and infrastructure that require adequate security. Contractors should exercise caution when dealing with electronic payment issues and consult their legal counsel for day-to-day guidance to minimize risk. The lawyers at Cohen Seglias regularly advise clients on such issues.