The construction industry has moved aggressively toward digital procurement — online plan rooms, electronic bid submissions, and cloud-based project management. This digitization brings efficiency but also exposes firms to a category of fraud that barely existed a decade ago: bid manipulation, vendor impersonation, and payment diversion through compromised digital channels.
For general contractors and subcontractors alike, a single compromised bid or diverted payment can mean six-figure losses and damaged relationships that took years to build.
The Digital Bid Fraud Landscape
Construction procurement fraud takes several forms in the digital age:
Bid Sniping and Manipulation
Attackers who gain access to a contractor's email or project management system can view competing bids and adjust their own accordingly. In some cases, they modify a legitimate contractor's bid after submission — changing prices, scope, or terms to disqualify the actual bidder.
Vendor Impersonation
Criminals create fake identities mimicking legitimate subcontractors or suppliers. They submit bids using spoofed emails and fraudulent credentials, win work, collect advance payments, and disappear. The real subcontractor never knew their identity was used.
Payment Diversion
The most common and costly attack. An attacker compromises a subcontractor's email, then sends the GC a message: "Our bank account has changed — please update your records." The next draw or progress payment goes to the criminal's account.
Securing Your Bid Submission Process
For General Contractors Receiving Bids
- Use authenticated bid platforms (PlanHub, BuildingConnected, iSqFt) rather than email submissions
- Require subcontractor registration with verified credentials before accepting bids
- Implement bid encryption — submissions should be unreadable until the deadline passes
- Maintain a verified vendor database with confirmed contact information and banking details
- Log all bid access — know who viewed each submission and when
For Subcontractors Submitting Bids
- Never submit bids or proprietary pricing via unencrypted email
- Use platform-native submission tools rather than attachments when possible
- Enable MFA on all accounts associated with bid platforms
- Monitor your business identity — set Google Alerts for your company name + "bid" to catch impersonation
- Watermark bid documents with unique identifiers that prove authenticity
Real-World Case: A Virginia-based mechanical contractor lost a $2.4M project when an attacker accessed their PlanHub account (using a reused password from a previous breach), viewed the competing bid, and submitted a lower number through a spoofed identity. The GC awarded the project to the fraud entity, which collected a $240K mobilization payment before anyone realized the company didn't exist.
Payment Verification Controls
Payment diversion is preventable with simple procedural controls:
The Golden Rule: Never change banking or payment information based solely on an email, fax, or electronic message. Every change must be verified through a separate channel — a phone call to a known number, an in-person confirmation, or a verified secure portal.
- Establish banking information at onboarding — collect bank details in person or through a verified onboarding process, not via email
- Require dual authorization for banking changes — any modification to payment details must be approved by two people after independent verification
- Implement a cooling period — delay payments for 48-72 hours after any banking change to allow time for verification
- Call before sending — for payments above $25,000, call the subcontractor's office at the number in your original contract (not the number in the email) to confirm details
- Use positive pay — work with your bank to implement positive pay, which rejects checks and ACH transactions that don't match pre-approved details
Email Security for Construction Firms
Email is the primary attack vector for construction fraud. Secure it at every level:
Technical Controls
- DMARC, SPF, and DKIM: Prevent attackers from sending emails that appear to come from your domain
- Advanced email filtering: Use Microsoft Defender for Office 365 or similar to detect impersonation attempts
- External email banners: Flag all messages from outside your organization so staff can identify potentially spoofed messages
- Link protection: Enable safe links that scan URLs in real-time before opening
Procedural Controls
- Verify identity on sensitive communications: If an email requests money, credentials, or changes to project details, verify by phone
- Train estimators and project managers: These roles handle the most sensitive bid and payment information — they need targeted security training
- Separate bid and payment roles: The person who evaluates bids should not be the same person who processes payments
Secure Plan Room and Document Sharing
Bid documents, specifications, and pricing schedules are valuable targets. Protect them:
- Use project management platforms with granular access controls (Procore, PlanGrid, Autodesk Build)
- Restrict plan access to verified, registered bidders only
- Disable downloading where possible — use view-only access for pre-bid documents
- Audit who accesses which documents and flag unusual patterns
- Revoke access immediately after bid deadlines close
Vetting New Vendors and Subcontractors
Before awarding work to any new subcontractor, verify their legitimacy:
- Check state contractor licensing — verify their license number with the issuing authority
- Verify insurance independently — call the carrier directly to confirm coverage
- Confirm physical address — a Google Street View check takes 30 seconds and can reveal whether the "office" is actually a vacant lot
- Request bank verification letters — legitimate contractors can provide letters from their bank confirming account details
- Check references on recent projects — call project owners listed as references
Incident Response: When Fraud Is Detected
If you suspect bid fraud or payment diversion:
- Immediately contact your bank — if a payment was recently sent, a wire recall may recover funds within the first 24-72 hours
- Preserve evidence — do not delete emails, screenshots, or logs. Forward suspicious messages to your IT team
- File an FBI IC3 report — the Internet Crime Complaint Center tracks construction fraud and has recovered millions through rapid intervention
- Notify affected parties — if a subcontractor's identity was compromised, inform them immediately
- Engage legal counsel — fraud recovery often requires legal action across jurisdictions
Working with a managed IT services provider ensures your email systems, bid platforms, and payment processes have monitoring in place to detect anomalies before money moves.