The construction sector’s rapid move towards digital tools, remote access and cloud collaboration has widened its exposure to cyber threats. Construction firms rely heavily on technology to manage projects, yet many still have limited cyber maturity. The combination of tight deadlines, multiple stakeholders and high-value contracts makes the impact of any disruption especially severe.
People and supply chains remain the weakest links
Phishing attacks and business email compromise (BEC) scams rank among the most prevalent and financially devastating cyber incidents affecting UK construction businesses. A single email can wreak financial and operational havoc in construction firms.
Both phishing and BEC rely on social engineering and weak security controls, and their impact can be substantial, affecting not just the company’s bottom line but also project delivery, staff morale and client relationships.
Phishing
In a sector where site workers and office teams operate multiple systems and devices, the phishing risk is amplified. Phishing is often the first step in a broader attack. Criminals send emails purporting to be from colleagues, clients or suppliers to get recipients to unwittingly click on malicious links or enter login credentials.
Construction firms should focus on a combination of user awareness, system hardening and preventative technology to protect, including:
- multi-factor authentication;
- AI-powered email filtering;
- role-specific training;
- phishing email simulations sent internally to train staff to spot a scam;
- suspicious email response protocols;
- access review of shared drives.
Business email compromise (BEC)
BEC attacks involve criminals either spoofing or compromising legitimate business email accounts to manipulate financial transactions.
BEC scams can be prevented by strengthening both process integrity and digital controls, such as:
- segregation of duties;
- verification of payment requests;
- secure executive accounts;
- finance control policy;
- executive security workshops;
- fraud response plan.
The business impact is immediate and costly
Cyber incidents in construction can halt projects, trigger contract penalties and damage reputations. Lost productivity, payment delays and recovery costs quickly add up. These risks affect cash flow and delivery schedules, meaning cyber security should be viewed as a commercial and operational priority rather than an IT issue.
Even strong defences can be breached, so the ability to recover quickly is just as important as prevention.
Governance and accountability are key
Overall message
There is a clear connection between people-driven attacks (phishing and email compromise) and operational disruptions (ransomware and third-party failures). Together, they underline that managing cyber risk in construction requires a joined-up approach, combining awareness, robust controls and strong governance across every stage of project delivery.
For practical, tailored support from a cyber security team that understands the construction sector, contact Maritz Cloete, Director of Cyber and IT Assurance Services, Moore Kingston Smith.
*the views expressed are the authors’ and not ICAEW's