As construction becomes more and more digitized and internet connected, the threat landscape is evolving right along side it. At Pinkard Construction, we take security seriously and protecting our client and partner data is a top priority. Scams these days are sophisticated. Gone are the days where the most malicious email was easy to spot due to poorly constructed sentences and a complete and total lack of construction knowledge and nomenclature. Today’s scams are exceedingly sophisticated and the result of attackers doing their homework and studying the AEC industry. With that in mind, we wanted to highlight some of things we’ve seen and the best ways to spot them.
Always spot check the email address next to the sender’s name. Email headers can be manipulated, and the sender’s first and last name can be changed to appear to be someone you know and trust despite the email address being completely wrong. The email address could be something unrecognizable or it could be something common like a Gmail address. Either way, when you receive an email claiming to be from Pinkard Construction, you can be sure that it will have @pinkardcc.com appended to the sender’s name.
Look for abnormalities in recognized email addresses. Attackers are getting even more clever and they know that a Gmail address is easier to spot. A more sophisticated attacker will register a domain that is very similar to the correct one. We’ve seen attackers register pinkradcc.com (notice the subtle misspelling). The attacker then sends using that email address. In that case Pinkard is never even in the loop, and a recipient who begins responding to an email from that faked domain will be communicating directly with the attackers unknowingly. In these cases, if you’ve missed the subtle email address fake which is easy to do, think about the content…
Look for odd, financially-related requests. Always call a known employee at Pinkard to confirm all requests, via email or USPS mail, that communicate a change to Pinkard’s payment/banking information. Also, Pinkard will never email you requesting EFT or credit card info.
Be wary of unsolicited attachments. We routinely see incoming RFPs, invoices, and other unexpected items sent randomly from a legitimate email account we recognize from past business dealings. Typically this is a result of a compromised email account and the attachment usually contains links or instructions that guide the recipient to a malicious website. These websites will try to get you to enter your password into them or try to get you to download and install something that will infect your computer.
Never respond to a suspicious email. If you recognize something strange, it’s best to call the person in question to confirm. If you respond to the email, you can’t be sure if the intended recipient will even get it. It may very well be the attacker that receives your response and responding may tip them off that they’ve been discovered or cause them to adjust.
We are your partners in this new and ever changing time. If you ever have a concern, please reach out to us. We have a team of dedicated professionals that are always ready to lend a hand in exposing and thwarting threats to our customers and partners. Stay safe out there everyone!
