Checks and cheques – practical tips to prevent cybercrime in the construction industry

16 September 2024

The cybercrime industry continues to experience significant growth and is impacting a broad range of businesses. Relevantly, in 2023, around 25% of respondents to an Australian Institute of Criminology survey were negatively impacted in some way by cybercrime in the 12 months prior to the survey.¹

A classic example of cyberfraud in the construction industry (which is well publicised but still occurring regularly) is the Business Email Compromise (BEC) scam. A BEC scam is a form of cybercrime that occurs where a hacker gains access to a business email account to scam organisations out of money or goods.

The purpose of this article is to act as a refresher on the current state of the law in respect of BEC scams and provide some helpful steps that you can implement to prevent cybercrime in your supply chain.

Key Takeaways

  • Implement and ensure that you have in place adequate and secure IT systems and staff training with an emphasis on any trending or emerging scams;
  • Review your contracts for any exclusions of liability for loss arising from BEC scams and seek advice on preventative measures to mitigate risk;
  • Consider whether your insurance covers you for social engineering fraud, and evaluate the possible risk against any premiums for gaining such coverage;
  • Speak with your financial institution. Australian banks have recently introduced measures to scrutinise payments made to suspicious bank accounts. You should liaise with your bank to understand what measures they can put in place to help protect your business; and
  • Undertake due diligence. Always undertake appropriate due diligence in respect of any new entity that you propose to contract with (or an existing entity who may have updated their details).

BEC Scams in the Construction Industry

In the construction industry, the BEC scam usually involves a hacker:

  1. gaining access to a contractor’s or supplier’s business email account;
  2. monitoring emails to understand who is responsible for sending invoices or payment claims in respect of works performed or supplies ordered;
  3. intercepting and amending payment correspondence by altering the bank account details included on invoices or payment requests; and
  4. receiving payment of that invoice or payment claim to an account that belongs to the hacker (rather than the contracting entity).

Legal Position on BEC Scams

There is currently no Australian judicial authority providing guidance on the judicial treatment of BEC scams.

However, there is academic and industry commentary suggesting that a duty of care should be found for all businesses to do what is reasonable to ensure that their IT systems are secure against hackers looking to perpetrate BEC scams.

Under this theory, if a business does not adequately protect its IT systems, it is more likely that it will be hacked. A usual analogy given is that of a bank leaving the doors to the vault open. It follows that in the modern, sophisticated environment of AI powered fake identity, it is critical that businesses ensure their IT systems have robust up to date IT security, and they do everything reasonable to protect them.

US and Canadian courts have found businesses have breached their duty to ensure robust IT security, and allowed victims to recover losses that are said to have been caused by such breach.

However, in the Australian context, courts are reluctant to expand the reach of negligence law, so it is not clear that negligence would form the basis of liability for BEC scams locally.

In Australia, determining legal liability for BEC losses is complex and depends on several factors, including the specific circumstances of the scam, the actions of the parties involved, and applicable laws. Below is a breakdown of potential liabilities:

VictimsAs noted above under negligence theory, the business that falls victim to the BEC scam is often primarily liable for the losses, particularly if it has failed to exercise due care, such as neglecting its IT measures, or failing to verify the authenticity of the email
HackersFraudsters who execute the scam are criminally and civilly liable for the losses. However, recovery from the fraudsters is often difficult, as they may be anonymous, international, or otherwise out of reach of legal enforcement.
Payors, Banks, IT Vendors, Employees, cybersecurity providersEach of these may have some liability, particularly for intentional or negligent acts or omissions. In particular, payors may bear some liability where they are made aware of a change of bank account details, but do nothing to verify such change.

Preventative Steps

BEC

The key to preventing BEC scams is being aware and ensuring that you have in place secure and adequate IT systems and that staff have been trained and are aware of the traditional red flags. These include:

  • receiving notice of an unexpected change in bank details from a vendor;
  • receiving urgent payment requests or threats resulting from non-payment;
  • receiving unexpected payment requests from someone in authority especially if payment requests are unusual from that person; and
  • an email address that does not look right or is different from one seen previously.²

However, this space is constantly evolving and growing in sophistication. As such, it is important that your entity continues to be cognisant of emerging methods of cybercrime and that your IT systems and staff training is updated to respond to new and emerging risks.

Contracting with a new party

Prior to engaging with any new entity or making advance payments, due diligence of that entity should be undertaken, including:

  • ASIC and/or InfoTrack company searches;
  • visiting the registered office of the Company to ensure that it is in fact a valid going concern;
  • undertaking due diligence on previous projects said to have been completed by the entity; and
  • critically reading and reviewing correspondence, websites (ensuring they contain “https” and are verified³) contracts and phone conversations for irregularities (including any negative reviews).

After the fact

In the event that you find yourself becoming the victim of a BEC scam you should immediately consider the following steps:

  • contact your bank to see whether payment can be traced and stopped;
  • check the provisions of the relevant Contract affected by the BEC scam to see determine how liability is to be attributed;
  • contact your insurer to check whether your insurance policy covers fraud;
  • if impacted, report the scam to the following bodies:
    1. the Police;
    2. Australian Securities and Investments Commission (financial and investment scams);
    3. Australian Taxation Office (tax related scams); and/or
    4. Australian Communications and Media Authority (spam emails); and/or
  • engage with the other party impacted by the BEC scam and attempt to negotiate a commercially acceptable outcome.

Finally, if you are unsure of what steps to take, seek legal advice.

The article was written by Kate Morrow, Partner, Bill Singleton, Partner and Darcy Thompson, Senior Associate.


¹ Isabella Voce and Anthon Morgan, AIC reports, Statistical Report 43, Cybercrime in Australia 2023 (Australian Government, Australian Institute of Criminology, 2023).

² Australian Government, Australian Signals Directorate, ‘Protecting Against Business Email Compromise’ (October 2021).

³ ‘Avoid being the victim of a scam’ Housing Industry Association Limited 2024 (Web Page, 25 July 2024) Click here to access.

Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

  • What type of content would you like to receive from us?

Contact us