Threat Intelligence & Incident Response
Contracting services were the second-most-reported non-critical sector in the FBI's 2025 ransomware data. The two exposures that actually hurt a construction firm — project downtime and progress-payment wire fraud — and how to close them.
Most construction owners don't think of themselves as a cyber target — which is exactly why attackers like them. In the FBI's 2025 Internet Crime Report, contracting services were the second-most-reported non-critical-sector industry for ransomware complaints — 17% of more than 1,400 such complaints, behind only legal services (FBI IC3 2025 Annual Report). A construction firm carries two distinct exposures at once, and both show up on the cyber-insurance application. This guide covers what they are and how to close them — without turning your office into an IT department.
For a contractor, the expensive day isn't a data breach — it's the day work stops. Ransomware that reaches your estimating, project-management, scheduling, or accounting systems doesn't just lock files; it freezes the machinery of the business while payroll, subcontractor obligations, deadlines, and liquidated-damages clauses keep running.
The path in is usually mundane. A field laptop that moves between jobsites and the office network. An old, internet-facing system nobody has patched because it runs a piece of equipment or a legacy estimating tool. Verizon's 2026 Data Breach Investigations Report found that software-vulnerability exploitation is now the single most common way attackers get in, at 31% of breaches — overtaking stolen passwords for the first time (Verizon DBIR). For a construction firm, that translates directly to the unpatched and end-of-life software scattered across offices and jobsites.
The second exposure is financial, and it's the same mechanic that makes title companies a target: business email compromise (BEC) that diverts a progress payment or draw. Construction moves money in large, scheduled chunks, and the people approving them are juggling field issues and vendor emails. An attacker who sits in a compromised mailbox waits for a draw request, then sends altered banking details at exactly the right moment.
The money is usually gone before anyone notices the account number changed. There's no malware to detect — just a believable email and a process that didn't verify.
The good news: a short list of controls covers both exposures, and they're the same controls cyber carriers now require of contractors.
Two pressures are converging. First, general contractors and project owners increasingly require subcontractors to carry cyber insurance and attest to a security posture before they'll award work — so security has become a bidding requirement, not just a precaution. Second, the carriers writing those policies ask about exactly the controls above: MFA, managed detection, tested backups, funds-transfer verification, and end-of-life software.
The controls that win you the policy are the controls that prevent the loss. That's the whole argument — there's no separate "compliance theater" here.
The fastest path is to treat the funds-transfer controls and the endpoint/EOL work as one project. That's how Obsidian Ridge runs it for contractors and the trades — see the Construction & the Trades security page for how the payment-verification controls and managed detection line up against both the threat and the carrier's questions.
If you'd rather start by finding the gaps, the Cyber Insurance Readiness Sprint maps your current state against the controls underwriters score in a fixed-scope, seven-business-day engagement — and produces the documented process and evidence you submit with the application.
Contractors are a top ransomware target and a prime BEC target, and the loss in this vertical is measured in stopped projects and diverted draws, not just stolen records. Verify every payment out-of-band, get managed detection on the office and field systems, retire the end-of-life software — and document it once for the project owner and the carrier.
Seen a fake-invoice or draw-redirect attempt and want it to stay a near-miss? Book a contractor cyber-risk assessment.
Last updated
June 17, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Yes, more than most owners realize. In the FBI's 2025 Internet Crime Report, contracting services were the second-most-reported non-critical-sector industry for ransomware complaints — 17% of more than 1,400 such complaints, behind only legal services. Attackers know a stopped project still has payroll, deadlines, and penalty clauses running.
Business email compromise that diverts a progress payment or draw. An attacker compromises an email account, watches a project's billing cycle, and sends altered banking details right before a large payment. It's the same mechanic that hits title companies — large, scheduled transfers are the target.
Two things first: out-of-band verification on every payment and bank-detail change (call a known number before money moves), and managed detection and response on the office and field systems that run estimating, project management, and accounting. After that, an inventory of end-of-life software and unmanaged jobsite devices, because internet-facing outdated software is both a breach path and a failing cyber-insurance answer.
Increasingly yes — and general contractors and project owners now often require it by contract. Carriers ask about MFA, managed detection and response, tested backups, funds-transfer verification controls, and whether you're running unsupported end-of-life software. The same controls that satisfy the application are the ones that prevent the loss.
Related reading
A practical first-24-hours ransomware checklist for small businesses: isolate systems, preserve evidence, call the right parties, and avoid the panic moves that make recovery worse.
Read articleHow BEC and wire-fraud unfold in CPA firms — refund redirect, payroll wire interception, vendor payment scams — and the controls that catch the chain before the wire leaves.
Read articleHow BEC and wire fraud actually unfold in a dental practice — the supplier-impersonation pattern, the inbox-rule trick, the controls that catch it, and what to do in the first 4 hours.
Read article