When the Job Isn’t Real: Practical due-diligence habits for bid invitations, document links, and payment changes in construction.
- Jul 6
- 7 min read
This article is intended as general awareness, not legal, financial, insurance, or cybersecurity advice. Companies should work with their banking partners, IT providers, insurers, and legal counsel to establish controls appropriate for their business.
Not every project opportunity is what it appears to be.
In recent years, fraudulent bid invitations and payment-related scams have become more common across the construction industry. Some are still easy to recognize: a strange sender, a vague project description, a suspicious file link, or an email that simply does not read like normal business communication.
Others are far more difficult to spot, and with the rise of AI near impossible to spot until it is too late.
We have seen invitations to bid on projects that, at first glance, appeared legitimate. The message included project language, names, attachments, and even what looked like a prior email thread between multiple parties. It was not just a random email asking someone to click a link. It was built to look like a normal construction communication.
We have also seen the more damaging side of these scams: real-time email compromise, where an existing business exchange is intercepted and payment instructions are altered before funds are sent.
That is the uncomfortable part of the issue. The most dangerous scams no longer rely on looking suspicious. They rely on looking routine.
Why Construction Is an Attractive Target
Construction businesses like to move quickly. Bid deadlines are real. Project documents are shared constantly. Estimators receive invitations from companies they may not know well. Accounting teams process deposits, progress payments, change orders, and vendor invoices under time pressure. Contractors, suppliers, owners, engineers, architects, and manufacturers often communicate across long chains of email.
That creates opportunity.
A fake bid invitation does not need to fool an entire company. It only needs one person to open a document link, submit information, or engage long enough for the scammer to learn more.
A payment scam does not need to invent a project from scratch. It may only need to insert itself into an existing relationship at the exact moment when money is expected to move.
This is why the issue should not be treated as a generic technology problem. It belongs in the same category as contract review, insurance, job costing, credit risk, and payment controls. It is part of doing business in construction.
The Fake Bid Invitation
A fraudulent bid invitation is designed to look like opportunity.
It may reference a real company, a real project type, a real location, or a real person. It may include a bid date, scope language, plan links, and copied formatting from actual construction communications. In more sophisticated cases, the email may include a fabricated chain of prior messages to create the impression that several people have already been involved.
That false context is powerful. If an email appears to be part of an ongoing exchange, the recipient is less likely to question why they were included or whether the request is legitimate.
The goal may vary. The sender may want someone to open a malicious file, enter credentials into a fake document portal, provide company information, or simply begin a conversation. In some cases, the first email is only a starting point. The scam becomes more convincing as the exchange continues.
There are usually clues, but they are not always obvious.
A sender may use a domain that is close to the real company domain but not identical. A project may be difficult to verify outside the email itself. A link may lead to a file-sharing site that requires a login. The contact name may not match anyone listed on the company’s website or public project documents. The message may create urgency around a bid deadline while providing little verifiable context.
None of these details proves fraud on its own. Construction communication is often messy. Real bid invites can come from unfamiliar people, use third-party document platforms, and arrive with short deadlines.
That decentralization is what makes these scams effective.
The question is not whether one detail feels unusual. The question is whether the opportunity can be verified outside the email that introduced it.
The Compromised Email Thread
Payment fraud is often more difficult because it may begin inside a legitimate relationship.
A contractor, supplier, customer, or project partner may have an email account compromised without realizing it. Once inside, the attacker can watch conversations, study timing, learn names, and wait for the right moment to intervene.
The email that follows may not look like spam. It may come from a real address. It may appear in an existing thread. It may reference an actual invoice, project, amount, or payment schedule. The only change may be the banking information.
That is why relying on the appearance of the email is not enough.
A revised wire instruction, updated ACH form, new remittance address, or last-minute account change should be treated differently from ordinary correspondence. It is a control point. Once money leaves the account, the ability to recover it can be limited and time-sensitive.
The mistake many companies make is assuming that because the project is real, the payment instruction must be real. In these scams, the project may be real. The contractor may be real. The invoice may be real. The email thread may be real.
The banking information is the part that changed.
The Red Flags Are Often Procedural
The older advice around phishing often focused on grammar errors, strange greetings, and obvious foreign-language mistakes. Those still exist, but they are no longer enough.
In construction-related scams, the warning signs are often procedural rather than cosmetic.
A bid invite comes from a company you recognize, but not from a contact you can independently verify.
A plan link requires you to enter email credentials before viewing documents.
A project has a bid deadline, but no clear owner, architect, civil engineer, permit record, or public trace.
A person claims to be with a known company, but the email domain is slightly altered.
A payment update arrives near the exact time a deposit, draw, or final payment is expected.
A vendor provides new wire instructions but does not mention them during phone calls or other normal communication.
A message discourages direct confirmation because of urgency, travel, confidentiality, or timing.
A familiar email thread suddenly changes tone.
These are not always dramatic signs. They are small inconsistencies in the process. The discipline is learning to pause when the request involves access, information, or money.
Build Verification Into the Process
But suspicion of every email is not the best defense. That is unrealistic and inefficient.
The better approach is to make verification a normal part of the workflow at specific risk points. For bid invitations, the risk point is usually before opening files, logging into a document portal, or committing estimating time to an unknown opportunity. The sender, company, project, and document source should be confirmable through some channel other than the email itself.
That may mean checking the company website, calling the main office number, confirming the contact through a known relationship, reviewing public project information, or asking for clarification before accessing files.
For payment instructions, the standard should be even higher.
Any new banking information or change to existing payment details should be confirmed verbally using a phone number already on file or obtained from a trusted source. The number provided in the suspicious email should not be used for verification. The confirmation should be documented, and larger transfers should require a second internal approval.
This may feel like an extra step, but it is much easier than trying to recover funds after a fraudulent wire.
A Practical Bid Invitation Check
Before opening files or responding in detail to an unfamiliar bid invitation, it is worth asking:
Who sent this, and can that person be verified outside the email?
Does the sender’s domain exactly match the company they claim to represent?
Is the project real, and can it be confirmed through the owner, GC, architect, engineer, permit records, plan room, or another trusted source?
Are the documents being shared through a normal platform, or does the link require an unusual login?
Does the request make sense for our company, our geography, and our role in the industry?
Is there pressure to act quickly before basic verification can happen?
These questions should not slow down legitimate work in any meaningful way. In most cases, a real opportunity can withstand a few minutes of scrutiny.
A Practical Payment Check
Before sending funds or changing stored payment information, the process should be even more deliberate.
Was the payment instruction expected?
Did the banking information change?
Was the change communicated only by email?
Has someone confirmed the change by phone using a known, trusted number?
Does the account name match the vendor or contractor being paid?
Has a second person reviewed the change before funds are released?
Is the verification documented?
The purpose is not to create bureaucracy. It is to protect the company, the contractor, the vendor, and the relationship. A payment control that feels inconvenient in the moment can prevent a much larger disruption later.
If Something Feels Wrong
If a message feels questionable, stop using that email thread as the source of truth.
Do not click additional links. Do not download new files. Do not reply with sensitive information. Contact the company or individual through a separate, trusted channel.
If payment has already been sent and fraud is suspected, contact the bank immediately. Time matters. Internal accounting, leadership, IT support, insurance contacts, and law enforcement reporting channels may also need to be involved depending on the situation.
Preserve the emails, attachments, headers, phone records, wire details, and timeline. Those details can matter later.
The Larger Lesson
Construction depends on trust. Most business still happens through relationships, referrals, repeat customers, known vendors, and practical communication between busy people trying to get work done.
Scammers understand that.
They are not only attacking computers. They are attacking normal business habits: urgency, familiarity, professional courtesy, and the assumption that an email thread means the people in it are who they appear to be.
The answer is not paranoia. It is a better process.
A real bid invitation should be verifiable. A real payment change should survive a phone call. A legitimate partner should understand why your company confirms sensitive information before acting on it.
In today’s environment, that is not distrust.
It is good business.




Comments