SuptChapman_NEBRC-9 (2)

Construction firms are being targeted by cyber criminals with fake invoices and bank details as part of a sophisticated fraud netting more than £100m a year in the UK.

Mandate Fraud, also known as Payment Diversion Fraud (PDF) and Business Email Compromise (BEC), tends to affect businesses and customers where electronic financial transactions are common place, such as the construction industry.

Criminals will contact businesses or customers via email, usually claiming to be from a company that the business or customer has been dealing with. They will request a payment to be made via fake but very plausible invoices, or payment details to be changed.

It is estimated that mandate fraud costs the UK more than £100m annually, with the average loss per business around £27,700. In 2019 alone, 3,577 reports were reported to the police. One historical mandate fraud cost a single construction company £1.1m.

The scams are becoming ever more sophisticated with the criminals often creating fake e-mail addresses which are very similar or identical to genuine business, down to the e- signatures and disclaimers. These directs payments from businesses and customers go straight into the criminal’s bank account where it is quickly moved on. The scammers do their homework and will often go to extraordinary lengths to mimic their victim’s online presence and email branding.

The NEBRC – North East Business Resilience Centre – which advises businesses on how to prevent such fraud are currently advising across the construction sector including prevention, recovery from an attack and putting in robust IT protection.

Supt Rebecca Chapman (pictured) , head of the not-for-profit NEBRC, said: “Mandate fraud aimed at construction businesses is becoming more commonplace as the nature of the sector with complex supply chains, multiple third-party contractors and a fast-moving work environment often meaning there’s little time to double check authentic looking requests that come in on email.

“But the construction industry needs to be aware of this threat and ensure they have robust systems and checks in place. The NEBRC can advise businesses who don’t know where to start with audits to check current security measures, IT enhancements and, most importantly, staff training. It only takes a split second for a member of staff to unwittingly allow a mandate fraud to take place, and the criminals will take no time at all to move any monies on from genuine customers and bank accounts.”   


Tom is the managing director of a successful medium-sized construction-based firm with a £3m turnover based in Yorkshire:

“I operate a small construction-based business and we have a reasonable customer base; we’ve been trading a long time and had all the relevant standard industry protection you would expect for a company our size. We thought we were safe.

“We had a customer who owed us a substantial amount of money and when we were chasing them for our monthly payment they announced they had already paid us – which they hadn’t.

“It turned out, they showed us an email purporting to be our offices that was instructing them to change our payment banking details and they paid our monthly payment into someone else’s bank account on what seemed to be our instruction. We realised this was a very serious situation that can affect anybody. We never thought we were vulnerable to this sort of thing, and obviously it causes an awful lot of stress, undue heartache, and financial.

“We have been consulting with NEBCR who have been extremely helpful and informative on these issue and we have put  systems in place to hopefully make sure this sort of thing can’t happen again. All I would say to anybody out there is make sure this is front of mind , it can happen to you, it can happen to anyone, and it happens every day.”

Tom’s full interview can be seen here:

General advice to follow an possible attack includes:

STOP: Taking a moment to stop and think before parting with your money or information could keep you safe.

CHALLENGE: Could it be fake? It’s ok to reject, refuse or ignore any requests for your financial or personal details. Only criminals will try to rush or panic you.

PROTECT: Contact your bank immediately if you think you’ve fallen for a scam.


  • Use a strong and separate password for your email.
  • Create strong passwords using 3 random words.
  • Save your passwords in your browser.
  • Turn on two-factor authentication (2FA).
  • Update your devices.
  • Back up your data.

For further information go to the NEBRC website

Latest Issue

BDC 319 : Aug 2024