The Australian Federal Police (AFP) has issued a national alert. Business email compromise (BEC) scams caused more than A$152.6 million in losses across Australian businesses in 2024, a 66 percent increase from 2023. Construction firms are among the most targeted.
“The construction sector, with its high-value transactions and complex subcontracting chains, has become an attractive target for organised cybercrime groups operating both domestically and offshore,” the AFP noted.
With frequent onboarding, pressure to pay subcontractors quickly and fragmented data, construction AP teams are on the front line of this risk.
How criminals exploit AP workflows
BEC scams often start with an email that appears genuine. An attacker hijacks a thread or impersonates a supplier. The message includes an invoice or a bank account update, and it is sent to someone who can release funds.
Notable case examples
Recent AFP cases show how construction-focused BEC scams continue to evolve:
- New South Wales: A construction company paid a fraudulent invoice totalling A$41,800 after criminals spoofed a trusted supplier’s email. The scam was detected quickly and the full amount was recovered.
- South Australia: A conveyancing firm’s email was compromised, leading to a client overseas receiving a fake invoice for A$338,000. The payment was intercepted and recovered through international coordination.
- Tasmania: A woman lost A$120,000 after scammers intercepted her correspondence with a construction business. The fake invoice was an exact replica, with only the bank details changed. The funds were unrecoverable.
- Queensland: Criminals impersonated a legitimate construction company using highly targeted tactics. While some funds were recovered, total losses exceeded A$1 million. Offshore links were identified.
These cases reflect how quickly and convincingly attackers can mimic real suppliers and insert themselves into payment processes.
Why standard controls fall short
The AFP advises confirming payment instructions through a second communication channel. But if contact details are taken from the same email or invoice, the control fails before it begins.
Eftsure helps construction AP teams close that gap. The platform validates supplier identity, bank account details and tax numbers at the point of approval. It flags unexpected changes in real time and applies the same checks across high-volume or fast-turnaround projects.
For firms working internationally, international verifications confirm supplier and banking details across borders before funds are released.
What AP leaders can do now
- Flag all supplier detail changes for independent review
- Source phone numbers from verified public directories
- Use structured call-back scripts with pre-approved questions
- Avoid using email as the sole source of payment instructions
Each verified step strengthens control and reduces loss.
What happens next depends on your controls
The AFP’s warning is clear. Construction suppliers are now a preferred target for BEC scams. With structured verification and purpose-built controls, AP teams can reduce fraud risk before payments are made.
Protect your supplier payments with automated verification and real-time alerts. Book a demo.
