When most construction business owners think about risk, they think about contract disputes, weather events, defective workmanship, staff injuries, or material price escalation. What they often don’t think about is cyber crime.
In August 2021, the email account of a Waikato-based building firm was hacked, and cyber criminals sent fake payment instructions to clients, resulting in nearly $150,000 being misdirected to fraudulent accounts.
It’s now more than 4 years since that attack, so just think about how much more advanced the hackers’ capabilities will have become in that time. Yet, how much have you improved your ability to guard against attacks it in that time?
Cyber attacks are now one of the fastest-growing and most financially damaging threats facing New Zealand construction businesses — from sole traders through to large commercial contractors.
Construction firms are being targeted not because they’re “tech companies”, but because they’re soft targets that frequently handle high-value transactions such as deposits, progress payments and supplier invoices.
Why Construction Businesses Are Being Targeted
Construction businesses present an attractive profile for cyber criminals:
- Large supplier payment runs
- Frequent vendor account changes and additions
- Project-based invoicing
- Reliance on email instructions
- Tight deadlines and busy teams
In other words — the perfect environment for mistakes.
The Most Common Successful Cyber Attacks
1. Invoice Interception & Payment Redirection (Business Email Compromise)
Criminals gain access to an email account and monitor communications. At the right moment, they send a “changed bank account” instruction. One diverted progress payment can mean six-figure losses.
2. Supplier Impersonation Fraud
A fake email that looks almost identical to a real supplier requests urgent payment. With AI tools, these emails can now replicate the tone, grammar and writing style of your regular supplier contacts with frightening accuracy.
3. Payroll Diversion
Staff receive an email “from the director” requesting an urgent transfer. AI-generated language makes it convincing. Pressure and urgency do the rest.
4. Ransomware
Systems are locked, files encrypted, and access denied until payment is made. For builders mid-project, the operational disruption alone can be crippling — even before ransom demands.
The Role of AI in Modern Cyber Crime
Artificial intelligence has dramatically changed the game.
- AI can now analyse public websites, LinkedIn profiles, Companies Office records, and social media to craft highly personalised scam emails.
- It eliminates the spelling errors and clumsy language that used to be warning signs.
- It can replicate writing tone and structure, making fake emails nearly indistinguishable from genuine ones.
- Deepfake voice technology is now being used to imitate senior managers in voice notes.
At the same time, cyber crime has become increasingly outsourced. Attackers purchase “cyber crime as a service” — ready-made phishing kits, ransomware packages, and stolen credentials on the dark web. The barrier to entry is low, and the scale is global.
This is no longer a lone hacker in a basement. It is organised, commercialised crime.
The Financial Impact
Unlike physical theft, cyber losses can occur in minutes and often go undetected for days.
Most cyber losses are not covered under traditional material damage, crime, or liability policies. Cyber risk requires specific cyber insurance cover. These policies typically come with 24/7 emergency support, where a team of professionals will help you minimise the loss and get you back up and running as quickly as possible.
“We’re in the Cloud — So We’re Safe.” Not Quite
One of the most common statements we hear from construction business owners is:
“We use Xero and Google Drive. Everything’s in the cloud. We’re protected.”
Cloud-based systems like Xero are excellent platforms. They are secure, well-maintained, and professionally managed. But here’s the key point:
Cloud software protects the infrastructure — it does not automatically protect your business from cyber crime.
What does this mean practically?
Basically, hackers don’t need to break into Xero, they just need to break into you.
Most successful cyber attacks on construction businesses are not sophisticated system breaches. They are:
- Stolen email logins
- Phishing attacks
- Fake supplier instructions
- Compromised passwords
If a criminal gains access to your email account, they don’t need to “hack Xero”. They can:
- Intercept invoices
- Send fake bank account changes
- Approve payments
- Reset passwords
While your Cloud software may be secure, your login credentials may not be.
If a team member uses the same password across multiple sites, or clicks on a phishing link, the cloud provider cannot prevent that. The breach often occurs at the user level, not the platform level.
Four Practical Steps to Reduce Your Risk
While no system is perfect, strong controls dramatically reduce exposure.
1. Introduce Mandatory Payment Verification Protocols
Any change to supplier bank details must be verbally verified using a trusted phone number — not one provided in the email.
2. Enable Multi-Factor Authentication (MFA)
MFA on email accounts alone can prevent a significant percentage of business email compromise attacks.
3. Train Your Team
Cyber awareness training is no longer optional. Staff must understand phishing, urgency tactics, and verification procedures.
4. Backups & Incident Response Planning
Maintain secure, offline backups and have a documented response plan. Query your IT provider, what cyber threat expertise do they have? Can they respond quickly to assist you with any breach? IT providers themselves are an increasing common vector for cyber criminals to access their customers’ systems.
Construction risk is evolving
Weather events, contractual disputes, and site accidents remain real — but cyber crime is now sitting quietly in the background of every construction business in New Zealand.
The builders who treat cyber risk with the same seriousness as site safety will be the ones who avoid becoming tomorrow’s case study.
If you’re unsure how exposed your business is, it may be time to assess your cyber resilience — before someone else does.
