The large pipeline of construction activity in Queensland offers a tempting target for cybercriminals.
With figures of around $200 billion worth of committed and proposed infrastructure projects being reported in the lead up to the Brisbane 2032 Games, the Australian Federal Police (AFP) have issued a timely warning.
AFP Assistant Commissioner Cyber Command Richard Chin said criminals were weaponising vulnerabilities in Australia’s construction industry to steal millions of dollars via Business Email Compromise (BEC) scams, in a trend that was increasing.
Assistant Commissioner Chin said the scam involved cybercriminals impersonating a business or its employees via email to deceive victims into redirecting legitimate payments to fraudulent accounts.
“The construction sector, with its high-value transactions and complex subcontracting chains, has become an attractive target for organised cybercrime groups operating both domestically and offshore,” he said.
Assistant Commissioner Chin said no matter how legitimate a request may appear, businesses should always confirm payment instructions through a secondary communication channel, such as a trusted contact previously engaged with.
Scammers stole more than $152.6 million from Australians using BEC attacks in 2024, an increase of 66 per cent from 2023, putting BEC scams among the top three self-reported cybercrimes for business in Australia.
Assistant Commissioner Chin said cybercriminals were also using sophisticated malware to carry out BEC scams.
“These viruses infect devices when someone clicks a malicious link or opens a fake attachment. They run quietly in the background, often without triggering antivirus alerts. They capture login details for email and banking systems, giving criminals access to real business accounts.
“Once inside, criminals monitor email conversations and set up hidden rules that automatically forward or delete messages containing keywords such as invoice, purchase, or payment – helping them intercept financial communications,” he said.
“Using real email accounts, which are often spoofed to replicate the legitimate account, they send convincing invoices with fake bank details, deceiving businesses into sending money to criminal-controlled accounts.”
Assistant Commissioner Chin said these viruses were designed to avoid detection and could stay active for weeks or months, allowing criminals to plan and execute multiple attacks.
He said to defend against BEC scams, follow these best practices:
- Verify payment requests through a trusted contact, not via phone numbers or emails listed in the invoice. Even if the request comes from the business’ ‘finance team’, confirm directly with your trusted contact.
- Implement ACSC’s Essential Eight mitigation strategies to strengthen your cyber posture.
- Contact your financial institution immediately if you believe you’ve made an incorrect payment.
- Report suspicious activity to police via ReportCyber.
