N2CON TECHNOLOGY
Open menu

Construction Wire Fraud Prevention Procedure

In construction, invoice volume, subcontractor churn, and time pressure create a perfect window for fraud. This guide gives you a payment change verification procedure (SOP) you can copy/paste and train to.

Note: This is general information and not legal advice.

Last reviewed: February 2026

Executive Summary

What it is
A payment-change verification procedure designed to stop BEC-driven wire fraud in construction workflows.
Why it matters
  • Attackers target payment change moments: new job, change order, and urgent invoices.
  • Once funds move, recovery can be difficult. Prevention and fast response are key.
  • Fraud prevention is operational discipline: clear roles, verification, and exceptions tracking.
When you need it
  • You pay subcontractors, suppliers, or vendors via ACH or wire.
  • Project managers (PMs) and accounting both influence payments.
  • You have seen suspicious payment-change emails or vendor mailbox compromise.
What good looks like
  • Banking changes require out-of-band verification using a known-good number.
  • Dual approval is required for new payees and banking changes.
  • Exceptions are rare, documented, and reviewed.
How N2CON helps
  • Review and harden payment workflows without slowing projects down.
  • Implement identity and email controls that reduce compromise risk.
  • Set up monitoring and a response path so incidents are handled quickly and defensibly.

The two rules that stop most wire fraud

  1. Never accept banking changes over email without verification using a known-good contact method.
  2. Never approve urgent exceptions without a second reviewer and documented verification steps.

Related: Business Email Compromise (BEC).

Copy/paste SOP: payment change verification

Tailor this to your org. The key is that verification uses contact data you already trust. 
# Construction Wire Fraud Prevention SOP (Payment Change Verification)

## Scope
Applies to: new payees, changes to vendor/subcontractor banking details, and any change to invoice remittance instructions.

## Roles
- Requester (PM / Project Admin): collects change request and supporting docs
- Verifier (AP Lead): performs out-of-band verification
- Approver (Controller / Finance Lead): approves changes above threshold and all exceptions

## Procedure
1) Log the request
   - Create a ticket or log entry with vendor name, project/job, requested change, and requester.

2) Do not use email-thread contact info
   - Do NOT use the phone number or link in the email.
   - Use the vendor master record or a previously verified contact.

3) Perform out-of-band callback verification
   - Call a known-good number and verify:
     - vendor identity
     - requested bank name and last 4 of account
     - effective date and reason for change
   - Record date/time, who you spoke with, and what was verified.

4) Require dual approval
   - Banking changes: AP Lead + Finance Approver.
   - New payee: AP Lead + Finance Approver.

5) Update vendor record
   - Update remittance details in your accounting system.
   - Attach verification notes and evidence.

## Exceptions
- All exceptions require Finance Approver sign-off and documentation.

## If fraud is suspected
- Contact bank immediately for recall/hold.
- Preserve evidence (emails, headers, ticket notes).
- Report to IC3.

Related: email authentication and MFA.

Technical safeguards that support the procedure

  • Email authentication: implement DMARC/DKIM/SPF to reduce spoofing.
  • Multi-Factor Authentication (MFA): protect email and finance accounts. See MFA guide.
  • Access governance: keep payment approval roles tight. See RBAC guide.

Related: identity foundations.

Common Questions

What is construction wire fraud?

Most construction wire fraud is Business Email Compromise (BEC): an attacker impersonates a vendor, subcontractor, or executive and pushes a last-minute change to payment instructions so funds go to the attacker.

Is this mostly a technology problem or a process problem?

Both, but process is the layer that stops fraud. Email controls and identity hardening help, but payment-change verification and dual approval are the most reliable defenses.

What should we do if we suspect we sent money to an attacker?

Treat it as urgent. Contact your bank immediately to attempt a recall, preserve evidence, and report to IC3. Time matters.

Related resources

Sources & References

Want a wire fraud procedure your AP and PM teams will actually follow?

We can help implement verification workflows, harden identity and email controls, and set up monitoring to catch compromise early.

Contact N2CON