By Kenneth Rubinstein and Eric Penley
The following story is real (with only minor details changed to protect the client’s identity) and was relayed to me by a client:
A large hospital hired a nationally known contractor to construct a roughly $40,000,000 project. Midway through the project, the owner received an email from someone they thought was their contractor, instructing that the contractor had changed banks and providing new wiring instructions. The email looked real in every respect. The owner even called the executive’s assistant (using the phone number listed on the email) who sounded very professional and had confirmed the new information.
Unfortunately, this was part of an elaborate, but increasingly common, scheme. In this instance, the owner followed the instructions, and the contractor did not contact the owner until 2 payments had been missed – not wanting to be pushy. By that point, the owner had wired out approximately $1.5 Million in requisition payments.
The construction industry is increasingly under the threat of cyber-fraud. Criminals know that large capital projects often require significant payments, which occur regularly. It is fairly easy to identify the contractors involved in these projects, and criminals can then use that information to steal progress payments.
How The Scam Works
The criminal discovers an ongoing capital project and determines the identity of the contractor from media reports, job signage, or otherwise. The criminal then creates a false e-mail account that “spoofs” the actual e-mail address of the company using a similar domain. Accordingly, if the contractor’s name is AAA Builders, and their correct e-mail suffix is @aaabuilders.com, the criminal may create and register a domain of aaabuiIders.com (using capital I instead of lowercase L) or @aaa-builders.com (inserting a dash in the name) from which to send the e-mail.
The criminal then sends the e-mail with the spoofed address (usually using a name that the owner will recognize from the project) to the owner, requesting changes to the payment method. The e-mail often requests that future payments be wired to a specific account number, which is actually the criminal’s account.
Important: The e-mail may include a phone number, which is also the criminal’s number, to answer any questions. Criminals often create email “signatures” at the bottom of emails using the contractor’s logo so that the body of the email will appear authentic. When the owner then wires progress or other payments to the designated account, the criminal immediately removes the funds. At that point, the criminal has the owner’s money, while the owner remains liable to the contractor for the applicable payment or payments that it wired to the fraudulent account. When these scams succeed, losses are usually significant and irreversible.
How to Protect Yourself And Your Organization
To protect yourself from this type of scam, we recommend that you take the following precautions, which include the suggestions contained in FBI Alert No. I-050517-PSA, along with a few additional recommendations.
- Whenever you get a payment related email, closely examine the domain and e-mail address to confirm that it matches the correct domain of the contractor. (Hover your mouse over any links in the e-mail to see the address before clicking.)
- Always assume that any unsolicited e-mail concerning payment processing may be a fraud, and verify that the request is genuine.
- There have been instances where hackers have been able to access legitimate e-mail accounts. Accordingly, it is essential that you also call someone at the contractor’s office whose voice you know and verify the request.
- Never use the telephone number included in the e-mail you received unless it is a number you have called before.
- Forward suspicious e-mails to your organization’s IT department.
- You may also report suspected fraud to the FBI’s Internet Crime Complaint Center at www.IC3.gov.
Following these protocols does not necessarily prevent all frauds. However, adhering to this approach should reduce the chances that a cyber fraud will succeed on this project, or any future project that you may undertake.
Kenneth Rubinstein, an attorney, is co-chair of Preti Flaherty’s Construction Law Practice Group and can be reached at KRubinstein@Preti.com. Eric Penley is also an attorney with Preti Flaherty’s Construction Law Practice Group and can be reached at EPenley@Preti.com.