The Victorian Building Authority (VBA) is warning builders and plumbers about a growing trend of cybercriminals targeting construction companies and their customers via business email compromise (BEC) scams.

The warning follows an Australian Cyber Security Centre (ACSC) alert, noting these emails typically target the customers of the business and will ask them to change bank account details for future invoice payments.

In a BEC scam, cybercriminals will send fraudulent emails posing as a legitimate business.

Victims assume this request is legitimate and will then send invoice payments to a bank account operated by the scammer.

These fraudulent emails may come from hacked email accounts, or cybercriminals might register domain names that are similar to legitimate companies, typically by swapping letters or adding additional characters.

All parties to construction projects should be cautious when communicating by email, particularly when discussing bank account details or invoicing.

Strategies that can be used to reduce risk during these transactions include use of a secure email account with multi-factor authentication enabled, training and awareness for staff to recognise suspicious emails and verification of payment-related requests, such as calling the sender’s established phone number or visiting them before transferring funds.

VBA Executive Director Building System Technology David Black said construction companies and their customers should remain vigilant when emailing about invoices and bank details.

“This ACSC alert is a timely reminder to companies and customers of the need to cautious when exchanging sensitive information online,” Mr Black said.

“The VBA will never ask a practitioner to give out their online passwords and if building practitioner or customer has concerns, they should seek advice from an experience cyber security professional.”

Consumers seeking more information about building and plumbing matters can find useful resources on the VBA website.