Construction firms and specialty trades operators sit at a distinctive intersection of high-value payment flows, complex multi-party project coordination, and historically low IT investment. Subcontractor payment redirect fraud, where an attacker impersonates a subcontractor's billing contact to redirect a progress payment or final draw, has become one of the fastest-growing sub-categories of Business Email Compromise loss the FBI's Internet Crime Complaint Center tracks. Similar patterns appear in Canadian construction sector advisories.
This is a summary of what LeakTrace consistently observes when scanning small and mid-sized construction firms, general contractors, HVAC / plumbing / electrical firms, and specialty trades operators in Canada and the United States, written for firm owners, project managers, controllers, and the commercial insurance brokers writing construction E&O and builders' risk.
A construction project involves the general contractor, dozens of subcontractors, materials suppliers, engineers, architects, the owner, the owner's lender, and often bonding companies. Every progress draw, every subcontractor payment, every materials invoice moves through this multi-party email chain. Any single credential compromise in any single party opens a plausible impersonation vector. The complexity is the vulnerability.
Where the exposure concentrates
Email authentication is almost never configured properly
DMARC configuration on the firm's business domain is the exception rather than the rule across the construction firms we scan. The consequence is direct: the firm's own @contractorname can be spoofed to send fraudulent payment instructions to subcontractors, materials suppliers, or the project owner. Missing DMARC is the technical enabler of the majority of documented subcontractor payment redirect fraud losses.
Project management platforms are a growing attack surface
Cloud-hosted platforms (Procore, Autodesk Construction Cloud, PlanGrid, Buildertrend, CoConstruct) hold bid documents, project financial data, subcontractor payment schedules, and often integration credentials to the firm's accounting system. Platform breaches cascade to every firm using the platform. Self-hosted or on-premise deployments common in older firms are frequently running unpatched, exposed via remote-access ports.
Bid document confidentiality is often not enforced
Sensitive bid documents, contractor pricing, and subcontractor rate cards frequently sit in shared cloud folders with permissive access, sometimes accessible via link-share to former staff. In competitive bidding environments this is a direct commercial exposure independent of any cyberattack.
Owner and controller personal exposure is discoverable
Construction firm owners and controllers are typically discoverable across state contractor licensing board records, corporate registry filings, property registries, and data broker sources. This aggregation is used to construct plausible impersonation attacks against project managers or accounts payable staff.
What this means, by role
For firm owners and controllers
The controls that close the majority of common exposures are boring, cheap, and well-documented. The gap is not knowledge. It is nobody's job. A forensic audit surfaces the picture. A structured remediation sprint closes it. Continuous monitoring keeps it closed. The cost is trivial relative to a single successful subcontractor payment redirect, which routinely exceeds $100K per incident.
For commercial insurance brokers writing construction books
Underwriters are increasingly requiring email authentication posture, credential-exposure evidence, and documented payment verification procedures before quoting construction E&O, builders' risk, and cyber. Brokers who surface these gaps before renewal win the deeper relationship.
For construction M&A advisors and trades roll-up consolidators
Trades roll-ups (HVAC, plumbing, electrical, roofing) at above $2M enterprise value are running cyber diligence as standard practice. Findings become re-pricing arguments or trigger required remediation before close. Sellers who run their own diligence preserve their negotiating position.
The path forward
Small and mid-sized construction firms sit at an inflection. Subcontractor payment fraud is rising, cyber insurance underwriting rigor is rising, and trades consolidation velocity is rising. Firms that address exposure early protect their project margins, their insurability, and their eventual sale price.