top of page

How could my construction firm or supply chain be targeted by a cyber-attack?

Construction in the West Midlands in 2022

The construction industry in the region is set for a huge year as the 2022 Commonwealth Games arrives in Birmingham in the summer. The Alexander Stadium has undergone a £57 million redevelopment to prepare for the game’s arrival, the stadium will host the opening and closing ceremony as well as other events.

This is just one of the major transformation programmes taking place across the region that are going to provide work for the construction industry for years to come. Other programmes include:

  • A £1.9 billion Smithfield scheme seeing Birmingham City Council and Lendlease in a joint venture. The development programme will create 2,000 homes and retail units with construction running for 15 years.

  • The £37 million Friarsgate Development in Lichfield which will see 82 flats, 11 town houses and 37 retail commercial units being built.

  • Midland Metro Extension - The network is expected to triple in size, connecting Wolverhampton, Birmingham, Dudley, Brierley Hill, Digbeth, North Solihull, Birmingham Airport, the NEC and HS2 with over 80 tram stops.

  • Work to the M40/M42 Interchange SMART Motorway

Every single one of these projects and programmes will have a significant supply chain, providing an increased risk of points of entry for cybercriminals. One of the main and easiest ways that cybercriminals use to catch businesses out is Phishing.


So, what is phishing?

Phishing at its most basic is a cybercrime in which a target or targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.

There are many types of phishing, so you may have heard of vishing, smishing, spear phishing and whaling. The types of phishing are not important, it is important that you know they mean there are multiple ways that cybercriminals will try to trick you. Over the last 2 years, you will no doubt have seen in the news about the phishing scams that have related to NHS COVID vaccines and fraudulent NHS texts, that send you to an authentic looking website where they claim you have been in contact with someone who has COVID.

Sadly, cybercriminals will use current events and topics to encourage you to take action, which ultimately leads to a successful phishing attack.

What might a phishing attack look like against my building firm?

Phishing attacks against construction firms and their supply chains will look similar to attacks on businesses in other industries. The most common way that cybercriminals phish against construction firms is using phishing emails.

These emails will appear genuine and to be from someone from a reputable and familiar organisation to your company. Usually, the emails will ask you to take action by clicking on a link or downloading a file and there will be a sense of urgency behind the email. If they don’t ask you to click a link, they may ask for your email address or password so that they can act on your behalf.

Please be aware that if a message contains any of the following, you MUST think before you click:

Urgency “you must do this now” – here the attacker is trying to induce you to panic so that you don’t question the action being asked of you.

Authority – messages appearing to come from a boss, colleague, or company you engage with regularly, or with information they shouldn’t have unless they are genuine (your IP address for example).

Mimicry – attackers send messages that exploit your daily habits such as “please review your calendar entry – click here”.

Curiosity – enticing you with something like “breaking news”.

What to do if you think you’ve been a victim of a phishing attack

Phishing emails and messages can come in all forms and often are designed to look like a service that you use or need. Here are 3 things you can do if you suspect you’ve been a victim of a #phishing attack:

  • #Take5 and check the sender’s details.

  • Always make contact with trusted details found through a reputable search engine, and avoid clicking on anything sent to you.

  • To prevent social media account takeovers, consider turning on 2-factor authentication #2FA, so any new device trying to log in or make account changes needs a second layer of security before access is given.

Help to protect your business from phishing attacks

  • Regularly upskill and educate your employees so they are able to spot the signs of a phishing attack and respond appropriately. We offer affordable cyber awareness training, that is easy to follow and simple and delivered by the region’s top cyber talent through our partnership with local universities.

  • Ensure your staff know how to report a cyber-attack and feel comfortable raising an issue with senior members of staff.

  • Have a Security Policy for employees to refer to and follow so they understand how devices and software should be used within your firm.

  • Install the enterprise Outlook add-in for staff which has been created by the NCSC for you to be able to report email phishing directly from their email box.

  • Become a member of the Cyber Resilience Centre for the West Midlands for FREE and receive regular resources, toolkits, tips and support to firm up the foundations of your cyber security.

Alternatively, talk to us directly via to discuss how we could support your firm, programme and supply chain.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.


The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page