Pick Up the Phone to Protect Payments from Phonies

On January 15, 2024, the City of Greater Sudbury (“Sudbury”) filed a lawsuit against two unknown persons and several Canadian banks to freeze and recover $1.5 million stolen during a December 21, 2023 spear phishing scam. The incident arose from an invoice payment to new general contractor Flex Modular of the Lorraine Street Transitional Housing project that is delivering 40 units of affordable housing in Sudbury.

The fraudsters infiltrated the business email account of a Flex Modular senior project manager and intercepted an email chain between the owner of the construction project, Sudbury, and the general contractor. The scam artists hijacked the email chain undetected by both Sudbury and Flex Modular and supplanted their personal EFT details into the invoice payment instructions for the construction project. Sudbury then wired the substantial invoice payment to a bank account sourced from the convincingly spoofed business email of the general contractor’s senior project manager.

In May 2019, the City of Burlington was the victim of a similar phishing email scam, albeit with an unnamed vendor, and sent $500 thousand to a falsified bank account requested in the prima facie legitimate business email of its vendor.

The two instances above highlight the growing sophistication of spear phishing emails and the necessity of phoning the recipient of the wire transfer to confirm wire details over the phone instead of by email, which is susceptible to hijacking whether you are an independent contractor, multi-million-dollar general contractor, city, or small business owner.

Lawyers are also targeted by fraudsters trying to intercept emails with clients and supplant falsified bank account details belonging to the unscrupulous scam artists. The Law Society of Ontario, which regulates lawyers, has its own guidelines advising lawyers on how to avoid falling victim to spear phishing and email spoofing. One of the best methods is to use a reliable phone number to call the recipient and confirm their identity and the wire transfer details! Especially in the context of a construction project, it does not matter if the person is a senior officer, a project manager, an accountant, or an assistant: anyone’s identity can be stolen and their official business email address spoofed.

Construction projects are complex and already at risk to legalities without the added complication of litigating stolen invoice payments by sophisticated scam artists. In a growing digital world, it is important to stay wary with electronic money transfers and to outwork criminal agents by introducing multiple verification methods, such as phoning the recipients of all payments.

Construction lawyers are aware of this growing security issue and Construct Legal is equipped with the diligence and vigilance necessary to help your construction projects proceed smoothly. As Harry Potter’s Alastor Moody always counsels: “constant vigilance!”