Why is the construction industry targeted by BEC scams?

Construction firms make high-value payments to many subcontractors and suppliers, often under deadline pressure, which gives BEC scammers more chances to impersonate a trusted party.

How can Xero users prevent construction invoice fraud?

Xero users can reduce risk by limiting supplier edit access, verifying bank changes by phone, using dual approval and reviewing payment batches before money leaves the bank.

What should finance teams do after a suspicious bank detail change?

Pause the payment, call the supplier using a trusted number, preserve the email and Xero audit trail, and escalate internally before updating any payment details.

Construction Payment Fraud: How Builders Can Stop Invoice Scams

Australian construction businesses are attractive targets for construction payment fraud because every project creates a stream of progress claims, supplier invoices, hire charges and subcontractor payments. When a scammer compromises one email account or changes one bank account field, the loss can be immediate.

The wider numbers are already serious. The National Anti-Scam Centre reported that Australians lost $2.03 billion to scams in 2024, while the Australian Signals Directorate reported almost $84 million in self-reported business email compromise losses in 2023 to 2024.

For builders, civil contractors, trade businesses and construction finance teams using Xero, the risk is not abstract. It often appears as a normal invoice, a familiar subcontractor email or a routine request to update BSB and account details.

In this article:

What is construction payment fraud?
Why Australian construction businesses are high-value targets
How BEC becomes construction payment fraud
Where fraud enters the Xero payment workflow
How to prevent construction invoice fraud
Related Reading
Conclusion

What is construction payment fraud?

Construction payment fraud is any attempt to redirect, steal or manipulate payments in a construction business. It can involve fake invoices, supplier impersonation, altered bank details, duplicate claims, compromised email accounts or internal approval misuse.

In construction, the common version is invoice redirection. A scammer compromises a supplier, subcontractor or internal email account, then sends a real-looking invoice with new payment details.

The invoice may be for work that was genuinely completed. The project manager may approve it because the amount and job number look right. The finance team may enter or pay it because the supplier is already known.

That is what makes construction invoice fraud hard to spot. The fraud does not always look like a strange invoice from an unknown business. It can look like a normal progress claim with one changed field.

The risk sits between cyber security and finance operations. Email compromise starts the attack, but weak accounts payable controls often let the payment leave.

This is why construction firms need both secure systems and payment controls that fit how projects actually run.

Why Australian construction businesses are high-value targets

Construction payment fraud works because the building industry has the exact conditions scammers want: large payments, many suppliers, urgent deadlines and frequent changes.

A professional services firm might pay a small group of recurring suppliers each month. A construction business may pay electricians, plumbers, concreters, scaffolders, equipment hire companies, materials suppliers, consultants and labour hire providers across several projects at once.

That creates more opportunities for a fake invoice or altered bank account request to slip through.

High-value payment runs. Even a small subcontractor progress claim can be worth tens of thousands of dollars. A single successful payment redirection can hurt cash flow, project margins and supplier relationships.

Complex supplier networks. Construction finance teams often deal with new subcontractors, one-off project suppliers and changing site contacts. It is harder to rely on memory when the supplier list keeps moving.

Urgent project pressure. Payment issues can delay materials, labour or site access. Scammers exploit that pressure with messages such as “please pay today so work can continue tomorrow”.

Split approval chains. The person approving the work may be on site, while the person entering the bill is in the office and the person releasing payment is a director or finance manager. Fraud hides in the gaps between those roles.

Email-heavy processes. Many construction approvals still happen through emailed PDFs, forwarded payment requests and informal sign-offs. Business email compromise turns those habits into payment risk.

The ACCC's Scamwatch statistics portal continues to track false billing and payment-related scam categories. Those categories matter for construction because invoice fraud and payment redirection usually arrive through normal accounts payable channels.

How BEC becomes construction payment fraud

Business email compromise, or BEC, is often discussed as a cyber problem. In construction, it becomes a finance problem when a compromised email leads to a changed payment instruction.

A typical attack chain looks like this:

A scammer compromises a subcontractor, supplier or internal email account.
They monitor invoice conversations, project emails and payment timing.
They send a message with changed BSB and account details, or attach an altered invoice.
A staff member updates the supplier record in Xero or prepares a payment using the new details.
The money leaves the business before anyone realises the supplier was not paid.

The email may not contain spelling mistakes or obvious red flags. If the attacker has access to the real mailbox, they can reply in the right thread, copy the right tone and reference the right project.

That is why “train staff to spot phishing” is useful but not enough. Finance teams need controls that assume a convincing email can still be fraudulent.

Construction firms should treat every bank detail change as a high-risk event, even when it comes from a known supplier.

A subcontractor changing bank accounts just before a Friday payment run should trigger a verification step. So should a supplier asking for payment to a new account after months of consistent payment history.

For a broader explanation of the underlying scam type, see our guide to payment redirect fraud.

Where fraud enters the Xero payment workflow

Xero gives finance teams a clear accounting workflow, but it does not remove the need for human verification. If fraudulent bank details are entered into the supplier record, future payments can continue to go to the wrong account.

The main risk points are predictable.

New supplier creation

New subcontractors and project suppliers are common in construction. If a supplier is created in Xero from an emailed invoice without independent verification, the first payment may already be exposed.

A safer process is to verify the supplier's ABN, trading name, bank details and contact details before the first payment is scheduled.

Supplier bank account changes

Bank detail changes are the highest-risk point in the workflow. A genuine supplier may change accounts, but scammers know finance teams are used to receiving these requests by email.

Never verify a bank change using the phone number or email signature in the change request. Use a previously known number from the contract, supplier master file or earlier verified record.

Bill entry and approval

A bill can match the project, purchase order or progress claim and still contain fraudulent payment details. Site approval confirms the work or materials. It does not confirm the bank account.

Finance teams should separate operational approval from payment detail verification.

Payment batch review

Before releasing a payment batch, review any new supplier, changed bank account, unusually large amount or urgent exception. This is especially important where ABA files or manual bank transfers are prepared outside Xero.

User permissions

If too many users can create suppliers, edit bank details and approve bills, the control environment becomes fragile. Small teams still need separation of duties, even if one person wears several hats.

Our Xero user permissions security guide explains how to reduce unnecessary access without slowing every finance task.

How to prevent construction invoice fraud

Preventing construction invoice fraud is less about one perfect tool and more about repeatable controls. The goal is to make risky changes visible before payment is released.

1. Treat bank detail changes as exceptions

Every new or changed supplier bank account should be treated as an exception, not an admin update.

Require a call-back using a trusted number. Record who verified the change, when they verified it and what source they used.

2. Separate invoice approval from payment verification

A project manager can confirm that work was completed. They should not be the only control over where the money goes.

Finance should verify bank details and supplier identity separately from operational approval.

3. Restrict who can edit supplier records

Limit supplier creation and bank detail editing in Xero to people who need that access. Review permissions regularly, especially when staff change roles or external bookkeepers support the file.

If a user can add suppliers, edit bank details, approve bills and prepare payments, a single compromised account can create a serious weakness.

4. Review payment batches before release

Before each payment run, scan for red flags:

New suppliers receiving first payments.
Existing suppliers with changed bank details.
Round-dollar payments that do not match usual claim patterns.
Duplicate invoice numbers or repeated amounts.
Urgent payment requests outside the normal cycle.
Invoice layouts or remittance details that have changed.

This review does not need to delay every supplier. It should focus attention on the handful of payments where fraud risk is higher.

5. Document exceptions

If a payment is rushed, a bank change is accepted or a supplier record is updated outside the normal process, document why.

Good documentation protects the business later. It also helps finance managers identify patterns, such as the same project team repeatedly bypassing controls.

6. Use alerts for supplier changes

Manual review works until the team is busy, someone is on leave or a payment run happens under pressure. Alerts can help by making supplier bank detail changes visible as they happen.

That matters in construction because timing is everything. A bank change detected before payment can be stopped. A bank change noticed during reconciliation may be too late.

7. Know what to do if something looks wrong

If your team sees a suspicious bank change or believes a fraudulent payment was made, move quickly.

Pause any related payments.
Contact your bank immediately and ask about recall options.
Call the supplier using a trusted number, not the number in the suspicious email.
Preserve the email thread, invoice, payment record and Xero audit history.
Report the incident through ReportCyber and Scamwatch where appropriate.
Review Xero permissions, email access, MFA and supplier records before the next payment run.

Do not wait for the next reconciliation cycle if a supplier says they have not been paid. In payment redirection fraud, recovery chances often depend on speed.

Conclusion

Construction payment fraud succeeds when finance teams are forced to move quickly without reliable checks around supplier changes and payment details. The building industry will always involve complex projects, urgent payments and changing subcontractor lists, so the answer is not to slow every payment to a crawl.

The better approach is to make high-risk changes visible, require independent verification and protect the points where money can be redirected.

For Australian construction businesses using Xero, that means tighter user permissions, documented call-back checks, payment batch review and alerts when supplier bank details change. OutflowGuard helps finance teams monitor those changes, add dual approval and catch risky payment activity before funds leave the business.