Cyber-phishermen are out there, and they are hoping to catch unsuspecting financial professionals. Consider receiving the following email at work:

From: JohnphishermanCEO@abc--usa.com
To: JaneguppyCFO@abc-usa.com
Subject: Hong Kong Wire Transfer

Jane, please wire $50,000 using the following wire transfer instruction to our vendor at Alpha Building Company to pay for the site inspection…


Can you spot the difference in the two email addresses? The fake email domain from the CEO has two dashes between “abc” and “usa.” The authentic domain has only one dash. During a busy day, with a crowded inbox, not many people would have noticed. As it happens, the CFO of the real construction company in this story wired the money to Hong Kong. Only by chance did the CFO mention the wire request to the CEO, revealing the fraud. Fortunately, the company was able to cancel the wire in time.

Because of the number of vendors, multiple locations and projects, and often times inadequate internal controls, construction companies and their leaders are vulnerable to these sorts of scams. This fraud scheme, known as “phishing,” is just one of several scams that can cost a construction company hundreds of thousands of dollars.

While recent high-profile cyber-attacks targeted individuals’ credit cards, phishing and other schemes continue to defraud companies at an alarming success rate. The lures look so real that even the most savvy construction companies are taking the bait.

How Does the Scheme Work?
Typically, the CFO or controller receives an email from what appears to be the head of the company or an existing supplier or subcontractor. In both cases, the email is spoofed, meaning it is made to appear to be from corporate leadership or a trusted vendor (e.g., jdoe@btcpa.net and jdoe@btcppa.net).

Mimicking a CEO, the email might direct the CFO or controller to wire money overseas as soon as possible, providing the wiring instructions and associated account information. Mimicking a vendor, the email directs the construction company to update the wiring instructions and to use a new deposit account. Once the funds are transferred, the money is removed by the fraudster and the account is closed.

Besides the financial loss, this particular scam is especially concerning because the perpetrator appears to:
  • know the individuals responsible for initiating, approving and authorizing wire transfers;
  • know the dollar thresholds for authorization of wire transfer; and,
  • have access to email, calendars and voicemail systems.
Following are a few red flags to look for.
  • The email contains a sense of urgency.
  • The email may contain improper grammar.
  • The email domain is similar to the company’s actual domain.
  • The request is for first-time vendors or changes existing vendor account information.
  • The request is made to employees who are relatively new to the role or organization.
  • The dollar amount requested to be transferred is just below the maximum for additional approval authorities. 
  • The construction company does not have operations or vendors overseas or where the funds are requested to be transferred.
  • The email directs the recipient to code the payment to miscellaneous expense or professional services.
It might seem like an organization would never fall for such a scam given these red flags, but some very successful, sophisticated construction companies have done just that.

Preventing This Scam
Because funds are so difficult to recover, prevention is a company’s best defense.
  • Require vendor approvals. Develop and implement strong vendor acceptance procedures that include verifying the vendor and any changes to the vendor master file, including wiring instructions. 
  • Require validation of new banking information.
  • Require payment approvals. Make sure all supporting documentation is in place prior to initiating a wire transfer of funds, including invoices, purchase orders and a substantiation of a valid business purpose. Consider having positive confirmation or second-level approvals for amounts exceeding specified thresholds.
  • Provide or procure frequent fraud training for finance and accounting staff, including training related to the current authorization and payment policies.
  • Raise awareness of this and other scams by discussing vulnerabilities, red flags and preventions with the company’s accounting department. 
  • Update IT controls. Make sure firewalls, anti-virus and spam filters reflect current best practices.
Recovering Funds
The unfortunate truth is that once an approved employee has initiated the wire transfer, it has little chance of recovering the funds. The bank is not held liable as long as it followed proper protocols for processing the transaction.

Once the fraud is discovered, contact the bank’s fraud department immediately and direct it to stop the payment and freeze the recipient account. Fast action is imperative, as funds typically are cleared out within hours of the transfer.

It’s also possible to recover all or a portion of the loss through insurance. Review the firm’s insurance policies and contact its carrier to determine if the appropriate coverages exist. Companies likely will be required to file a report with federal and local authorities in order to submit a claim.


Scott Hazy is a partner in the Financial Reporting and Assurance department at Bennett Thrasher, Atlanta. Justin Snell is a director in the firm’s Dispute Valuation and Forensics practice. For more information, call (770) 396-2200 or visit btcpa.net.