TL;DR: Construction companies manage large financial streams, work with dozens of subcontractors and digitize at lightning speed through BIM and IoT. This makes the sector particularly vulnerable to invoice fraud, ransomware and data theft. Four out of five victims of invoice fraud in Belgium are construction companies. With concrete security measures and up to 50% VLAIO subsidy, you can protect your business without slowing down your site planning.
A construction company is not a tech company, and cybersecurity is rarely at the top of a contractor or developer’s agenda. Yet the construction industry is one of the most targeted sectors for cybercrime. The reason? Large financial transactions, a chain of dozens of subcontractors, and rapid digitization through BIM models, IoT sensors and cloud-based project portals. With an annual turnover of more than 109 billion euros and more than 107,000 construction companies in Flanders alone, the stakes are high. In this article you will read why your construction company is a target, which attacks are most common, and what measures you can already take today.
Why construction companies are an attractive target for cybercriminals
Construction companies combine several risk factors that attract cybercriminals like a magnet. First, the extensive financial cash flows: general contractors and project developers regularly process invoices of tens to hundreds of thousands of euros to subcontractors and suppliers. An intercepted invoice with a changed account number earns a criminal more in one fell swoop than months of phishing from private individuals.
Second, the fragmented supply chain. An average construction project includes architects, engineering firms, general contractors, specialized installers and material producers. The security of the entire project is only as strong as its weakest link. Attackers frequently use a less secure subcontractor as a springboard to a larger organization.
Third, operational time constraints. Construction projects operate with strict deadlines and contractual penalty clauses for delays. Ransomware that blocks access to project schedules or BIM models immediately shuts down the site. This makes the pressure to pay ransom quickly particularly high.
Finally, low cybersecurity maturity. While the construction sector is fully digitizing, investments in digital security lag behind. The economic squeeze compounds this: in 2024, construction in West Flanders was the hardest hit sector in terms of bankruptcies, accounting for 23.2% of all failures. When margins shrink, cybersecurity is the first to be cut, with the impact of an attack just then weighing the heaviest.
CEO fraud and invoice fraud: the biggest risk for construction companies
Invoice fraud is by far the most lucrative form of attack in the construction industry. According to the FPS Economy, about four in five victims of invoice fraud in Belgium are construction companies. Allianz Trade’s Fraud Trend Report Benelux 2026 confirms the trend: invoice fraud has risen to 44% of all external fraud cases, and the average damage amount per victim now exceeds 20,000 euros.
Specifically, how does it work? A criminal infiltrates the mailbox of a subcontractor or supplier and waits for a large invoice to be sent. The account number on the invoice or in the accompanying email is changed. The prime contractor receives an invoice that looks perfectly legitimate, pays to the wrong account number, and doesn’t discover the fraud until the real supplier sends a payment reminder. At that point, the money is virtually impossible to recover.
In CEO fraud, criminals pretend to be the company president. They send an “urgent” e-mail to the accounting department requesting a quick payment for an alleged acquisition or confidential project. The construction industry is especially vulnerable here: case managers are frequently unreachable at construction sites, making it more difficult to verify suspicious requests by phone.
How do you prevent it? Implement the four-eye principle for any payment above a threshold amount. Always verify account changes by phone through a previously known number, never through the number on the new invoice. Train your administration and site managers to recognize suspicious requests. Learn more about CEO fraud and deepfake variants in our article on voice cloning and deepfake fraud.
The digital construction site: new technology, new risks
The construction industry is digitizing at a rapid pace. BIM (Building Information Modeling) has become the central nerve of modern construction projects: detailed 3D models that capture the entire life cycle of a building, from design to operation. IoT sensors monitor concrete cure, GPS tracking tracks equipment, and drones provide aerial imagery for site analysis. That technology vastly increases efficiency, but it also increases the attack surface.
BIM risks: A BIM model of a sensitive building (a hospital, data center or government building) contains detailed information about all access points, security systems and technical installations. In the wrong hands, that model becomes a blueprint for physical intrusion or sabotage. In addition, subtle changes in material specifications or structural calculations can lead to long-term security problems. The international standard ISO 19650-5 provides a framework for secure information management in BIM projects, including classification of sensitive data and access controls in the Common Data Environment (CDE). In practice, few Flemish construction companies already implement this standard consistently.
IoT and connected machines: Many IoT devices in worksites are not designed with security as a priority. Sensors, drones and GPS trackers can be hacked to serve as a gateway to the corporate network. The manipulation of connected machines also poses a direct physical security risk on the worksite.
Mobile workers: Site supervisors and project managers work with tablets and smartphones in varying locations, often over unsecured networks. Without a VPN connection and centralized device management (MDM), these devices are an open door to company-sensitive data.
Ransomware in construction: lessons from Verhelst, Bouygues and BAM
Ransomware hits construction companies particularly hard, as operational downtime translates directly into missed deadlines and contractual penalties.
In October 2023, Oudenburg-based Groep Verhelst, an established West Flanders construction group, was hit by an aggressive ransomware attack. The attackers encrypted the entire network and destroyed all backup data. All computers were unusable, communication with customers was impossible, and control over inventories, productions and shipments was completely lost. CEO Hans De Keyser described it as “hell.” The company refused to pay ransom and had to keep operations running with pen, paper and old cell phones. After weeks of intense work, Verhelst was 90% operational again, but the historical photo archives were irretrievably lost. Read more details in our case study on Verhelst.
International cases confirm the pattern. In 2020, French construction giant Bouygues Construction was hit by the Maze group, which stole 200 GB of data and demanded a $10 million ransom. British contractor BAM Construct was attacked while building temporary COVID hospitals. Both cases show that cybercriminals do not hesitate to attack companies at their most vulnerable time.
The lesson is clear: backups must not only exist, but also be inaccessible to attackers. Learn how to protect your business with the 3-2-1-1 backup strategy and other preventive measures in our guide on ransomware protection.
Does your construction company fall under NIS2?
The NIS2 Directive, in force in Belgium since October 2024, has direct and indirect implications for the construction sector. Although “the construction sector” as a whole is not explicitly listed as a separate sector in the annexes, it does include many construction-related companies.
Directly under NIS2: Producers of building materials with more than 50 employees and a turnover above 10 million euros are categorized as a “major entity” under the “Manufacture” category. Installation companies working on energy networks, water supply or transportation infrastructure may also be directly covered.
Indirectly through the supply chain: NIS2 places an explicit emphasis on supply chain security. Essential entities such as energy companies, government agencies and transportation companies are required to require their contractors and suppliers to have robust cybersecurity measures in place. A contractor that cannot demonstrate that its digital security is in order risks being excluded from future tenders. For construction in West Flanders, where many companies work for government contracts and infrastructure projects, this is a concrete risk.
The obligations include a duty of care (appropriate technical and organizational measures), a duty of notification (report incidents to the CCB within 24 and 72 hours), and directors’ liability. A detailed overview can be found in our NIS2 guide for Flemish companies.
Five security measures every construction company can take today
Cybersecurity doesn’t have to be complex or expensive. These five measures will help you cover the most critical risks:
1. Multi-factor authentication (MFA) on all accounts. MFA stops more than 90% of attacks via stolen passwords. Start with e-mail, project portals and financial systems. This takes little time and nothing extra with most software packages.
2. The four-eye principle in financial transactions. No payment above an agreed threshold leaves without a second signature. Account changes are always verified by telephone through a previously known number. This is the simplest and most effective measure against invoice fraud.
3. Separation of IT and OT networks. Make sure the office network (email, accounting) is separated from any operational systems (site cameras, IoT sensors, connected machines). This will prevent a hacked laptop from reaching the machines in the yard. Read more about this principle in our article on network segmentation.
4. Awareness training for all employees, including site personnel. Humans remain the first line of defense. Brief, hands-on training sessions (in the style of a toolbox meeting on site) on recognizing fake invoices, phishing text messages and suspicious phone calls. Consider a phishing simulation as a baseline.
5. Unbreakable backups and an incident response plan. Follow the 3-2-1-1 rule: three copies of your data, on two different media, one off-site and one immutable. In addition, establish an incident response plan so everyone knows what to do if things go wrong.
VLAIO grants for cybersecurity in the construction industry
Flemish construction companies can receive significant government support to increase their digital resilience.
The VLAIO cybersecurity improvement program subsidizes 50% of the cost of external advice and guidance. The START package (10 days) provides a quick analysis and roadmap for a net cost of about 5,400 euros after subsidy. The MEDIUM package (21 days) combines analysis with practical help with implementation, such as setting up MFA or optimizing your backup strategy. You can read more details and conditions in our article on VLAIO improvement projects.
Through the SME portfolio, small businesses can receive a 45% subsidy on cybersecurity advice and training (35% for medium-sized businesses), with a maximum of €7,500 per year.
Concrete calculation example: A cybersecurity audit of 5,000 euros costs a small construction company only 2,750 euros after SME portfolio. A complete improvement project (START) of 10,800 euros costs 5,400 euros after VLAIO subsidy. Cybersecurity does not have to be an unaffordable investment with these support measures.
Frequently asked questions about cybersecurity in construction
Is my construction company a target for hackers if I don’t have an IT department?
Yes. Cybercriminals actually target companies without dedicated IT security. The construction industry is especially attractive because of its large financial transactions and many subcontractors. The lack of an IT department makes your company more vulnerable, not less interesting to attackers.
Must my construction company comply with NIS2?
It depends on your operations and size. Manufacturers of construction materials with more than 50 employees may fall directly under NIS2. But even if you are not directly covered, more and more clients (government, energy, transportation) are requiring cybersecurity proofs from their contractors. The supply chain effect of NIS2 affects the entire construction supply chain.
On average, what does a cyber attack cost my construction company?
Costs vary widely, but the combination of operational downtime, recovery time, lost sales and reputational damage quickly runs into tens of thousands of dollars for a medium-sized construction company. With ransomware, the total damage can reach hundreds of thousands of dollars, not including any ransomware. By comparison, a preventive cybersecurity audit costs a fraction of that.
How do I secure BIM models and project data?
Implement need-to-know access management in your Common Data Environment (CDE). Not everyone on the project needs to have access to all parts of the BIM model. Use strong authentication for project portals, back up project data regularly, and consider the guidelines of ISO 19650-5 as a framework for secure information management.
As a construction company, what grants can I get for cybersecurity?
Through the SME portfolio, you receive 45% subsidy (small business) or 35% (medium business) on cybersecurity advice and training. Through the VLAIO cybersecurity improvement program, you will receive a 50% subsidy on a guided path with an approved service provider. Both schemes are cumulative for different services.
Cybersecurity for the construction industry does not require a radical turnaround in your operations. It requires the same pragmatic approach that you apply on the job site every day: assess risks, prioritize, and improve step by step. Cyberplan helps construction companies throughout Flanders translate complex cybersecurity into concrete, manageable actions. Schedule a free consultation and find out where your company stands today.
Also read the cybersecurity guide for the manufacturing and healthcare industries.
