Duration

60 minutes
Medium

Interactive-Video
Suitable for

Private User / Employee

Phishing, ransomware and invoice fraud prevention for the construction industry.

Write your awesome label here.

How to detect sophisticated phishing emails which bypass your firewall or secure email gateway
How to detect fake emails from compromised suppliers
How to detect fraudulent WhatsApp and SMS messages
How to detect malware such as ransomware delivered by One Drive, Google Drive, BIM Collaborate, SharePoint and Egnyte
How to detect data and credential-stealing malware
How to detect fraudulent links purporting to be from services such as AutoDesk and Procore.
The invoice fraud tricks cyber criminals are using in 2025.
A substantial number of ransomware attacks start with phishing emails

Lower your Risk of Operational Downtime
A cyber attack can have a crippling effect on your operations, making essential design, project management and safety documentation inaccessible. All of which, can substantially delay your existing and future projects.

Protect your Sensitive Data
Many cybercriminals now release exfiltrated data into the public domain. Team members trained in phishing awareness are much better placed to protect your contract, planning, employee and financial information.

Lower your Risk of a Ransomware Attack
Many ransomware attacks start with phishing as the initial attack vector. Cybercriminals know that architecture, engineering, and construction firms rely heavily on IT, making them prime targets.

Be Compliant
Be compliant with standards such GDPR, ISO27001, NIS2 and DORA.

Enable Multi-Factor Authentication—not just on email accounts but also on BIM Connect, email marketing applications, cloud storage services, and, of course, password managers.

Perform regular backups—Create frequent backups of local machines or VMs. Make sure that some backups are air-gapped from your network. Ransomware groups often program their ransomware software to encrypt or delete your backups.

Keep devices, operating systems, and applications up-to-date. Patch them as soon as an update is released.

Perform network monitoring - Use a tool like Palo Alto Cortex to monitor suspicious connections.

Use robust passwords. Robust passwords can thwart brute-forcing attacks for initial entry, making it more difficult for hackers to move laterally across your network.

Enable Google Drive data loss prevention—Most organisations forget this preventative measure. By enabling Google Drive's data loss prevention feature, you can help prevent sensitive data from leaving your organisation via shared links.

End-user security awareness training—Security awareness is essential. Many phishing campaigns bypass secure email gateways and end-point detection software. And it’s not just about email. Cybercriminals now extensively use SMS, WhatsApp, and even old-fashioned telephone calls to socially engineer your team. Moreover, your users look after credentials, which are the keys to your network or email system. Your users are the last line of defence. They are your greatest asset in defending your organisation—security awareness is perhaps one of the most significant investments you will ever make.

SecureClick recently encountered a rather unfortunate case of a consulting engineering firm that lost a rather lucrative business contract due to a supply chain attack. What happened? One of their employees got “phished.” A cybercriminal sent them a SharePoint file containing data-stealing malware that captured their email account password. The cybercriminal gained control of the employee’s email account. This hijacked email account was then used to propagate ransomware to other firms and individuals in their M365 global address book. Unfortunately, a construction company (with which the mechanical engineering firm had a long-standing and lucrative relationship) fell prey to the attack. One of their employees believed that because the email was from a trusted source, its attachment was safe to open. With numerous systems (servers, PCs and laptops) maliciously encrypted, the construction firms' operations were significantly curtailed by this incident. The event soured the relationship between the two firms. After years of project cooperation, the construction selected a different engineering firm some months later.

At SecureClick, we bring cybersecurity awareness to life with an engaging narrative—no cartoons, no cheesy voiceovers. Why does this work? People forget isolated chunks of information security facts. People remember information when it is put in the context of stories. This means, your employees will remember what they saw or heard when facing a real-life security decision.

Atlantic Point Construction and Consulting Engineers is a fictitious company. However, the threats it faces are based on real-life threats targeting the construction industry in 2025.

Dispelling user misconceptions about information security is fundamental to effective security awareness training. Over the years, SecureClick has spoken to dozens of hacking victims, and the same security misconceptions keep reappearing. These misconceptions must be addressed because beliefs and attitudes are strongly correlated to behaviours. In our interactive training, using plain English, we dispel these misconceptions with clear explanations and real-life examples, substantially lowering your organisation's human IT risk.

This email is designed to test how your employees would respond to an internal phishing attack. This occurs when the sender is known to the recipient. Here, the cybercriminal is using a hijacked email account of an ex-Atlantic Point employee and impersonating the employee. This type of email is dangerous because it will bypass controls such as secure email gateways. Your employees are the last line of defence here. This email is designed to test whether they can identify a phishing email (even though it’s from a known sender and known email address) and test their reaction to a “curiosity lure” – in this case, a link to a SharePoint file.

Cybercriminals impersonating IT staff is a common problem. This is especially true for new hires (cybercriminals often being keen monitors of LinkedIn) unfamiliar with their new workplace's systems and protocols. A message like this will also catch users because some users are still unfamiliar with Caller ID spoofing techniques.

This email tests how employees react to an “internal phishing” email. The sample scenario above uses a credible pretext and a reasonably strong curiosity lure. In our interactive training, many employees will admit to opening such an email, especially if the sender's email address appears valid. Cybercriminals commonly use this type of email, especially when an ex-employee's email account has not been adequately revoked. The OneDrive link will either lead to a credential-stealing portal set up by the cyber-criminal or result in the user inadvertently downloading data-stealing malware. This can culminate in data exfiltration, invoice fraud or ransomware.

Case Study
How a Dublin-based consulting engineering firm made its team more resilient against phishing and impersonation attacks.

Our client, a consulting engineering firm that designs vital facilities such as wastewater management systems for local authorities across Ireland wanted to lower its human IT risk.

Challenge:
Several of their UK and European peer organisations experienced ransomware and sophisticated invoice fraud attacks. As a digital-first firm, much of their work was now performed on Cloud-based platforms (such as Autodesk and Office 365), and they were concerned about the effects of a cyber-breach event on their operations and reputation. They recognised that their main clients (local authorities) were concerned about supply chain attacks. Just one of their firm’s email accounts getting hijacked could result in the exposure of confidential information and the compromise of a local authority client. They also realised that such a cyber-breach event could seriously jeopardise future business relations.

Concerns
The firm received some very “obvious” phishing emails, SMS and WhatsApp messages. However, not all of these communications were that obvious. Some of these messages referenced specific staff members and some impersonated software vendors (such as AutoDesk and Procore). For example, on one occasion, an employee got a message followed up by a WhatsApp message purporting to be from the CEO about a payment transfer. Even more worrying was that none of these communications was flagged by their email gateway or the in-built detection tools of their Microsoft 365 collaboration platform. They were aware that even if one of these malicious communications was successful, it could lead to a crippling ransomware attack which would delay current and future projects. Not only would such an incident damage their reputation and result in sensitive data being potentially exposed, but delayed projects would not be long in negatively impacting on cashflows.

Approach
We liaised with their in-house IT team to investigate any further threats they experienced. Our threat assessment revealed that ransomware, data exfiltration and business email compromise were their most significant threats. The vectors for these attacks were primarily email, text messaging and vishing (telephone-based social engineering)

Training
Using our Human Cyber Risk Susceptibility Survey (HCRSS), we first determined their employees' underlying cyber risk attitudes and beliefs. The results of which revealed some interesting findings.
1) Over 43% of employees believed that threat actors would not target them but rather their colleagues in the finance department or boardroom instead.

2) Over 68% of their employees reported that communications (such as email and SMS) from cloud-based platforms such as Microsoft 365 were “very secure”. Many employees believed threat actors would find it difficult to impersonate due to Microsoft's security controls.
3) Over 55% of their employees believed emails from colleagues or suppliers are “very safe when you know the sender”.

The results were concerning. Their employees held some IT security misconceptions, which left their firm vulnerable. First and foremost was the issue of cyber threats and a lack of relevancy. It was perfectly understandable why employees in some departments believed they would not be a target for cybercriminals. However, we showed them how “lateral movement” works during our training using real-life case studies. We showed them how just one compromised email account can result in a cybercriminal reaching the master switch (domain controller) of their network and enabling data exfiltration and ransomware attacks.

Their employees also placed a lot of trust in notifications from cloud collaboration platforms such as Microsoft 365 and AutoDesk. In so-called “Living off the Land” (LOTL) attacks, cybercriminals commonly exploit services such as Forms, OneDrive, SharePoint and BIM360 to steal credentials and propagate malware. We deconstructed some real-life Lotl attacks to show their employees how easily these “trusted” services can be exploited. We showed them how threat actors can exploit the trust of services such as OneDrive, MS Forms, SharePoint and DocuSign to propagate data-stealing malware and facilitate credential theft.

Internal phishing and account takeover (ATO) attacks pose a significant problem for firms in the AEC sector. A study from IBM found that up to 40% of phishing attacks now involve “internal phishing”. However, our survey found that a significant cohort of this consulting engineering firm’s employees believed that emails from known senders were “very safe”. We showed employees the fundamentals of such attacks and real-life case studies of how employees in peer firms got caught out.

Putting their Cyber Security Learnings into Practice
A vital part of our Human DTECTR training system is knowledge transfer and getting participants to apply what they have learned to real-life scenarios actively. For this, we used our CyberGame. During this tabletop exercise, employees assume the role of hackers. Using Zoom's breakout rooms feature, participants were broken into teams. Each team was given the name of a fictitious consulting engineering firm and told to hack them using social engineering. Participants received prompt sheets with various attack mechanisms (simplified) and social engineering pretexts. This brings learning to life and gets employees thinking about the multi-threaded techniques which treats actors use in real-life attacks, which is often difficult to convey over e-learning platforms.

Results
Our post-training Human Risk Cyber Susceptibility Survey results reveal a demonstrative improvement in employee resilience. Only 12% of employees believed they would not be a cybercriminals target. 23% of employees now reported cloud-based platforms such as Microsoft 365 as “very secure.”. 14% believed emails from colleagues or suppliers are “totally safe because I know the sender.” Furthermore, their internal IT team noticed that employees were much more likely to report suspicious incidents. This reporting of suspicious incidents increased from just 12% to 29%. The firm’s management could now prove to their key customers concerned about supply-chain attacks that their team had undergone security awareness training, giving them confidence for future business cooperation. Knowing that their employees now had a greater sense of accountability and were better able to spot threats, which evaded their technical defences allowed their IT teams and management to sleep a little sounder at night.