The Australian property and construction sector handles project transactions often measured in millions of dollars, engages extensive sub-contractor networks, and relies on project management and document management platforms that represent attractive targets. Invoice fraud in particular is a persistent threat — the volume and size of legitimate payments creates opportunity for fraudulent diversions.
Invoice Fraud in Property and Construction
A progress claim for $850,000 from a sub-contractor looks very similar to the real thing when an attacker has compromised either the sub-contractor's email or the principal's email. The frequency and scale of legitimate transactions means that a single successful fraudulent claim can cause significant loss before the fraud is detected. Verification of account changes — direct callback to a known number — is the control that breaks this attack.
Project Management Software Risks
Platforms like Procore, Aconex, Autodesk Construction Cloud, and similar tools aggregate project documentation, communications, and financial information. They are cloud-based, internet-accessible, and in many deployments have permissive access controls that allow subcontractors and consultants to see more than they need. Security configuration reviews for these platforms are often neglected.
Supply Chain Exposure
A construction project supply chain may involve dozens of sub-contractors, suppliers, consultants, and regulatory interfaces. Each represents a potential entry point for a BEC or ransomware attack. A cyber incident affecting a key sub-contractor or project management platform can disrupt a project regardless of the principal's own security posture.
What should property developers and builders prioritise for security?
Invoice fraud prevention procedures for all financial instructions. MFA on all systems including project management platforms. Email security configuration (SPF, DKIM, DMARC) preventing impersonation of company domains. Staff training on BEC patterns specific to construction — particularly sub-contractor impersonation and progress claim fraud. Regular review of access to project management platforms.
