Why construction firms are being targeted by online criminals

Mandate fraud, also known as payment diversion fraud and business email compromise, usually happens when a criminal contacts a business or customer via email claiming to be from a company that the business or customer has been dealing with.

They will request a payment to be made via fake but very plausible invoices, or payment details to be changed.

It is estimated that mandate fraud costs the UK more than £100m annually, with the average loss per business around £27,700. In 2019 alone, 3,577 reports were reported to the police.

One historical mandate fraud cost a single construction company £1.1m.

According to the North East Business Resilience Centre (NEBRC), the scams are becoming more sophisticated with the criminals often creating fake e-mail addresses which are very similar or identical to genuine business, down to the e- signatures and disclaimers.

These directs payments from businesses and customers go straight into the criminal’s bank account where it is quickly moved on.

The scammers do their homework and will often go to extraordinary lengths to mimic their victim’s online presence and email branding.

The NEBRC, which advises firms on how to prevent such fraud, is currently advising across the construction sector including prevention, recovery from an attack and putting in robust IT protection.

Supt Rebecca Chapman, inset, head of the not-for-profit NEBRC, said: “Mandate fraud aimed at construction businesses is becoming more commonplace as the nature of the sector with complex supply chains, multiple third-party contractors and a fast-moving work environment often meaning there’s little time to double check authentic looking requests that come in on email.

“But the construction industry needs to be aware of this threat and ensure they have robust systems and checks in place.

“The NEBRC can advise businesses who don’t know where to start.”

She added: “It only takes a split second for a member of staff to unwittingly allow a mandate fraud to take place, and the criminals will take no time at all to move any monies on from genuine customers and bank accounts.”

The managing director of a medium-sized Yorkshire construction-based firm with a £3m turnover, said: “We’ve been trading a long time and had all the relevant standard industry protection you would expect for a company our size. We thought we were safe.

“We had a customer who owed us a substantial amount of money and when we were chasing them for our monthly payment they announced they had already paid us – which they hadn’t.

“It turned out, they showed us an email purporting to be our offices that was instructing them to change our payment banking details and they paid our monthly payment into someone else’s bank account on what seemed to be our instruction. We realised this was a serious situation that can affect anybody.”

Eight in ten mid-sized businesses in the North experienced fraud in 2021, with more than a third of companies reporting an increase on the previous year, according to a new report.

BDO’s Fraud Survey - which monitored fraud trends at 500 mid-sized UK firms - found that more than a third of firms suffered security breaches through cyber-attacks over the last 12 months. While more than a quarter of frauds were externally generated, 30 per cent involved collusion between internal and external individuals.