TL;DR

  • Construction is a high-value cybercrime target: Large contract values, complex payment chains with dozens of subcontractors, project data worth millions, and historically weak security make construction businesses prime targets for invoice fraud, ransomware, and tender manipulation.
  • Metricon Homes confirmed ransomware in 2024: Australia's largest home builder suffered a confirmed Qilin ransomware attack, with employee data published on the dark web — demonstrating that even Australia's biggest construction companies are vulnerable.
  • Payment redirection and invoice fraud cost Australian construction businesses millions per year: With payments flowing to dozens of subcontractors on a single large project, a single redirected payment can mean $50,000–$500,000 transferred to attackers with no recovery path.
  • Compliance obligations are growing: Large construction firms working on government infrastructure projects must meet increasing cybersecurity expectations under the Protective Security Policy Framework (PSPF) and as critical infrastructure suppliers under the SOCI Act. Privacy Act obligations apply to all firms with turnover above AUD $3 million.

Why Construction Businesses Are Cybersecurity Targets

Australia's construction industry — worth over AUD $360 billion and representing approximately 9% of GDP — is an attractive target for cybercriminals for reasons that are deeply structural. Construction projects involve massive contract values, complex multi-tier payment chains (head contractors, subcontractors, sub-subcontractors, suppliers), and payment schedules that create frequent legitimate reasons to change banking details — the exact scenario that payment redirection fraud exploits. At any given time, a major construction project may have 50+ subcontractors receiving regular payment, each with their own invoicing email addresses that can be spoofed or compromised. Building Information Modelling (BIM) files for major infrastructure projects — bridges, hospitals, data centres, defence facil

ities — contain proprietary engineering designs worth millions and, for sensitive government projects, national security implications. The Webber Insurance breach list confirmed that in August 2024, the Qilin ransomware gang attacked Metricon Homes — Australia's largest home builder — posting employee details to the dark web. The construction sector's vulnerability is compounded by a workforce culture that prioritises speed and site productivity over security hygiene: BYOD (bring your own device) on-site, shared logins to project management platforms, and minimal IT security investment are common across small-to-mid-sized builders and contractors. The OAIC's January–June 2024 NDB report recorded 527 notifications — with 38% attributable to cyber security incidents — and construction businesses, while not always reporting separately, are embedded in the supply chains of finance, property, and professional services firms that do appear prominently.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​

The Top 3 Cybersecurity Threats for Construction

1. Payment Redirection Fraud and Business Email Compromise (BEC)

Payment redirection fraud — also called Business Email Compromise (BEC) in its email-based form — is the most financially damaging and most common cyber threat for Australian construction businesses. The attack exploits the construction industry's normal operating pattern: subcontractors regularly update their banking details, project managers approve invoices from dozens of suppliers, and payment authorisation processes are often informal and email-based. Attackers compromise either the subcontractor's email account or the head contractor's, then send a convincing "updated banking details" email that redirects the next payment to an attacker-controlled account. By the time the fraud is discovered — often weeks later when the genuine subcontractor follows up on a late payment — the funds have been laundered through multiple international accounts. Single incidents routinely result in losses of $50,000–$2M. For a subcontractor who has not been paid, the impact can be catastrophic — and the head contractor faces both a legal claim and a reputational crisis. The Australian Competition and Consumer Commission's Scamwatch data consistently shows payment redirection fraud as one of the highest-loss cybercrime categories for Australian businesses, with construction particularly overrepresented.

2. Ransomware Targeting Project Files and Management Systems

Ransomware attacks on construction businesses encrypt project management platforms, BIM files, CAD drawings, contract documents, and financial systems — halting the ability to manage active construction projects and meet project milestones. For a builder managing multiple concurrent projects, ransomware downtime means: sub-trades cannot receive updated drawings, materials cannot be ordered, progress claims cannot be submitted, and project managers lose access to schedules and contract documents. The financial impact accumulates quickly: liquidated damages clauses in construction contracts penalise delays at fixed daily rates, and missed progress claim submissions can create immediate cash flow crises. The Metricon Homes ransomware attack by the Qilin group in 2024 — which resulted in employee data being published on the dark web — demonstrated that even Australia's largest residential builders are not immune. Smaller builders and contractors face the same threat with far fewer resources to respond. The ASD's Annual Cyber Threat Report 2024–25 confirmed that ransomware frequency and financial losses both increased throughout FY2024–25.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​

3. BIM and Tender Data Theft

Building Information Modelling (BIM) files and tender documentation represent millions of dollars of design and engineering investment. For sensitive government projects — defence facilities, critical infrastructure, secure government buildings — BIM data may also have national security implications. Attackers targeting construction businesses may steal BIM files to: sell to competitors who can win similar work with lower costs; provide foreign intelligence services with building data for sensitive government facilities; or hold for ransom knowing that a government client's project data cannot be publicly released. Tender fraud is also an increasing concern: attackers who gain access to a head contractor's tender preparation system can learn competitors' pricing, manipulate bids, or target sub-trade suppliers with fraudulent invitations to quote. Supply chain attacks on construction project management platforms (Procore, Aconex, Cheops) represent a growing threat — if a widely-used platform is compromised, it provides simultaneous access to hundreds of construction projects.

Compliance Requirements for Construction

Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) Construction businesses with annual turnover above AUD $3 million must comply with the Privacy Act. Employee personal information, HR records, subcontractor data, and client information are all protected under the APPs. APP 11 requires reasonable security steps; the Notifiable Data Breaches (NDB) scheme requires notification to the OAIC and affected individuals if a breach is likely to cause serious harm. The Privacy and Other Legislation Amendment Act 2024 (effective 11 December 2024) increased maximum penalties to AUD $50 million for serious or repeated breaches.

Protective Security Policy Framework (PSPF) — Government Projects Construction businesses working on Australian Government building projects — particularly facilities with security classifications — must meet cybersecurity requirements set out in the PSPF. This includes securing project documentation, managing access to building plans and design files, and ensuring subcontractors in the supply chain meet minimum security standards. Failure to comply with PSPF requirements can result in disqualification from government project panels.

Security of Critical Infrastructure Act 2018 (SOCI Act) — Infrastructure Projects Construction companies building critical infrastructure assets — power stations, water treatment facilities, transport infrastructure, data centres, hospitals — may have SOCI Act obligations as the primary or secondary operator during the construction phase. Project owners must manage cybersecurity risks during construction, and the construction contractor may be required to meet specific security standards for systems used on-site.

Building Code and WHS Obligations Cybersecurity breaches affecting automated building systems — HVAC controls, fire suppression systems, access control systems, safety monitoring — during construction create workplace health and safety risks. If a cyber incident contributes to a construction site injury, WHS regulators may investigate. This is an emerging but real risk as construction sites increasingly use IoT sensors and automated systems.

Cyber Security Act 2024 From 30 May 2025, construction companies with turnover above AUD $3 million must report ransomware payments to the ASD within 72 hours. This obligation catches most mid-to-large builders, head contractors, and civil construction companies.

The lilMONSTER Security Checklist for Construction

Use this checklist to assess your construction business's security posture. These controls directly address the payment fraud, ransomware, and data theft risks specific to the construction industry:

  1. Implement a mandatory verbal verification process for all banking detail changes — This single control prevents the majority of payment redirection fraud. Any request to change a supplier, subcontractor, or employee's banking details — regardless of how it arrives — must be verified by calling the requesting party on a phone number already on file (not a number provided in the request email). Document this process, train all staff with payment authority, and make it non-negotiable. No exceptions for urgency.

  2. Secure your project management platform with MFA and access controls — Platforms like Procore, Aconex, and Cheops hold your entire project universe. Enable MFA on all accounts, apply role-based access controls (project managers see only their projects, subcontractors see only their relevant documentation), and review and revoke access as project personnel change. Compromised project management platform credentials are a high-value target for attackers.

  3. Protect BIM files and tender data with encryption and access controls — Apply access controls so only authorised personnel can access BIM files, tender documents, and engineering drawings. For government or sensitive projects, consider encryption at rest and audit logging of all file access and downloads. Classify project documents by sensitivity and apply controls accordingly.

  4. Enable MFA on email — every account, no exceptions — Email compromise is the primary enabler of both payment fraud and ransomware delivery. MFA on Microsoft 365 or Google Workspace is free (included in standard subscriptions) and blocks over 99% of automated credential-stuffing attacks. This should be done today, before any other security control.

  5. Train all staff on payment fraud and phishing — annually at minimum — Construction businesses have high staff turnover, contractors on-site, and diverse workforces. Annual phishing training and payment fraud awareness training must be practical and role-specific: project managers need to know about fake subcontractor invoice emails; accounts staff need to know about banking detail change fraud; site managers need to know about phishing attacks using project-related lures.

  6. Implement encrypted offsite backups of all project files — Ransomware on a construction business can be existential if project files cannot be recovered. Maintain daily backups of all project files, contract documents, and BIM data in an isolated backup system that ransomware on your network cannot reach. Test restoration quarterly. Ensure backups cover both cloud project management platforms (via data export/API) and local/server-based file stores.

  7. Vet subcontractor cybersecurity practices for major projects — Your subcontractors' compromised email accounts can be used to target you. For large projects (over $5M contract value), include basic cybersecurity requirements in subcontractor agreements: MFA on communication email accounts, a verification process for banking changes, and incident notification obligations. This is both a security control and a contractual risk management measure.

How Much Does Cybersecurity Cost for a Construction Business?

Prevention costs for a mid-sized Australian construction company (50–200 employees, AUD $20M–$200M annual revenue):

  • Email security and MFA deployment: AUD $3,000–$10,000 per year (included in Microsoft 365 Business Premium or Google Workspace with Workspace Security add-ons, plus setup costs).
  • Staff phishing training platform: AUD $3,000–$8,000 per year.
  • Project management platform security hardening: AUD $2,000–$10,000 one-time, plus $2,000–$5,000 annual.
  • Managed endpoint protection and monitoring: AUD $15,000–$40,000 per year for a managed service covering site laptops, tablets, and office systems.
  • Annual security assessment and penetration testing: AUD $8,000–$25,000.
  • Total annual investment: AUD $30,000–$80,000 for solid baseline security.

A single payment redirection fraud event typically costs AUD $50,000–$500,000 — often more than an entire year's security budget. Ransomware that halts project management for one week can cost:

  • Liquidated damages for delays: $10,000–$100,000 per day depending on contract terms.
  • Lost progress claim revenue: Often $500,000–$5M for a large project.
  • Incident response costs: $20,000–$150,000.
  • OAIC regulatory consequences: Up to AUD $50M for serious privacy breaches.

For most construction businesses, the business case for cybersecurity investment is clear: preventing a single major fraud event more than pays for years of security controls.

FAQ

For a small Australian builder (under 20 employees), a solid security baseline costs AUD $5,000–$15,000 per year, covering MFA on email, endpoint protection, encrypted backups, and basic staff training. For mid-sized builders (20–100 employees), budget AUD $20,000–$60,000 per year. The most important controls — MFA on email and a verbal verification process for payment changes — cost almost nothing to implement and prevent the most common and costly attacks.

Payment redirection fraud (Business Email Compromise) is the most financially damaging threat for Australian construction businesses. The high volume of payments to subcontractors, combined with frequent legitimate requests to update banking details, creates ideal conditions for attackers to intercept and redirect payments. A single redirected payment can result in losses of $100,000–$2M. The solution is simple: implement a mandatory verbal verification process for any banking detail change, using a phone number already on file — not a number in the request email.

ISO 27001 certification is not currently mandatory for most Australian construction businesses, but it is increasingly expected for: government building projects and panel arrangements (particularly PSPF-classified projects), large commercial clients with vendor security requirements, and as evidence of reasonable steps under the Privacy Act. For head contractors tendering for government infrastructure projects (transport, health, education) or defence facilities, ISO 27001 certification can be a competitive differentiator and is likely to become a procurement requirement as the government's cybersecurity standards tighten.

Annual penetration testing is recommended for construction companies with digital project management systems, cloud file storage, and online accounting platforms. A penetration test for a construction business should cover: email systems (the primary attack vector for payment fraud), project management platform configurations, cloud storage access controls, and accounting software. For firms working on government or defence projects, penetration testing may be required as part of the engagement.

The consequences depend on what data was affected. If personal information about employees, subcontractors, or clients was compromised, you must assess the breach and notify the OAIC and affected individuals within 30 days if serious harm is likely. From 30 May 2025, any ransom payment must be reported to the ASD within 72 hours if your turnover exceeds AUD $3 million. For project delays caused by a ransomware event, construction contracts with liquidated damages clauses will impose daily penalties — and arguing "cyber attack" as a force majeure event is not straightforward. The reputational impact with clients, subcontractors, and government procurement panels can be lasting. Cyber liability insurance is strongly recommended to cover incident response costs, legal fees, and regulatory fines.

References

[1] Webber Insurance Services, "List of Data Breaches and Cyber Attacks in Australia 2018–2026," Webber Insurance, 2026. [Online]. Available: https://www.webberinsurance.com.au/data-breaches-list

[2] Australian Signals Directorate, "Annual Cyber Threat Report 2024–25," ASD/ACSC, Canberra, Australia, October 2025. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025

[3] Office of the Australian Information Commissioner (OAIC), "Notifiable Data Breaches Report: January to June 2024," OAIC, September 2024. [Online]. Available: https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-january-to-june-2024

[4] IBM Security, "Cost of a Data Breach Report 2024," IBM Corporation, 2024. [Online]. Available: https://www.ibm.com/reports/data-breach

[5] Australian Competition and Consumer Commission (ACCC), "Scamwatch Annual Report 2023–24," ACCC, Canberra, Australia, 2024. [Online]. Available: https://www.scamwatch.gov.au/research-and-resources/statistical-data

[6] Australian Government, "Protective Security Policy Framework," Attorney-General's Department, 2024. [Online]. Available: https://www.protectivesecurity.gov.au

[7] Australian Government, "Privacy and Other Legislation Amendment Act 2024 (Cth)," Federal Register of Legislation, 2024. [Online]. Available: https://www.legislation.gov.au

[8] Australian Government, "Cyber Security Act 2024 (Cth)," Federal Register of Legislation, 2024. [Online]. Available: https://www.legislation.gov.au

[9] Procore Technologies, "2024 Construction Technology Report," Procore, 2024. [Online]. Available: https://www.procore.com/resources/construction-technology-report

[10] Master Builders Australia, "Cybersecurity in Construction — Industry Guidance," Master Builders Australia, 2024. [Online]. Available: https://www.masterbuilders.com.au

Need help securing your Construction business? Book a free consultation with lilMONSTER — we specialise in cybersecurity for Australian builders, contractors, and engineering firms.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation