Last December, a senior project coordinator at a leading Salt Lake City architectural firm received a late-night Slack message from their "Principal." The ask? Purchase $2,500 worth of Amazon gift cards for clients, scratch the backs, and email the codes immediately. It felt off, but in the thick of Q4 deadlines and holiday chaos, the coordinator complied. By the time IT flagged the message, the funds were long gone.
That story may sting, but there are far worse examples in our industry.
Around the same time, a Utah-based design-build firm processed what appeared to be a routine vendor payment—$180,000 wired to an account supposedly belonging to a structural engineering partner. The email thread had been hijacked. The payment went to cybercriminals. The result? Legal disputes, delayed project timelines, and one very shaken operations director.
Architecture firms in Salt Lake City are prime targets during the holidays. Between overloaded project timelines, client gifting, and remote work, the season creates a perfect storm of distraction—and cybercriminals know it.
5 Holiday Scams Your Salt Lake City Architecture Firm Needs to Avoid
- "Principal Needs Gift Cards Now" (a.k.a. The $2,500 Slack Scam)
The scam: Impersonators pose as firm leaders and pressure employees to purchase gift cards for clients or staff. In Q1 2024, over 35% of business email compromise (BEC) incidents in architecture were gift-card related.
Prevention: Implement a hard policy: all gift card purchases must be approved by two people—and never via Slack, text, or email. Make it crystal clear that no principal or partner will ever request gift cards digitally.
- Vendor Payment Redirects (The Big Wire Transfer Trap)
The scam: Hackers infiltrate legitimate vendor email threads and subtly update payment info—right before holiday disbursements.
Prevention: Require all payment changes to be confirmed verbally via a known phone number. At Qual IT, we call it the “Two-Channel Rule”: If a request comes in digitally, confirm it analog.
- Phony Delivery Notices to the Office
The scam: Fake shipping alerts that mimic UPS/FedEx/USPS, prompting staff to click tracking links—which then install malware.
Prevention: Train employees to access carrier tracking only through direct, bookmarked sites. Block common phishing domains at the network level.
- "Holiday Schedule" Attachments That Contain Malware
The scam: Emails titled things like "Holiday_Party_List.pdf" or "End_of_Year_Office_Closures.xlsx" contain embedded malicious code. One click and your entire server could be compromised.
Prevention: Disable macros on all devices. Use advanced attachment scanning, and enforce a policy to verify any unexpected file via Teams or phone before opening.
- Fake Charity Drives (That Steal Your Client Data)
The scam: Cybercriminals pose as charitable campaigns—sometimes even spoofing your firm's name—to gather credit card info or logins.
Prevention: Circulate a pre-vetted list of donation platforms approved by leadership. Clearly communicate to clients and staff that any "firm-sponsored giving" will be published only on your official website or LinkedIn page.
Why These Scams Work (And Why Architecture Firms Are Especially at Risk)
Salt Lake City architecture firms rely heavily on email threads, cloud collaboration tools like BIM 360, and remote access to 3D modeling files. These systems are efficient—but they also create vulnerabilities.
You’re dealing with multi-million-dollar projects, sensitive client plans, and large digital files passed between internal staff, subcontractors, and partners. That’s a goldmine for hackers.
And while firms obsess over physical building security, many overlook digital security—until it’s too late.
Here’s the kicker: most of these scams are preventable.
- 99% of email-based attacks can be stopped with Multifactor Authentication (MFA).
- Phishing simulations reduce cyber risk by 60%.
- But most Salt Lake City architecture firms still don’t train their teams or audit their systems.
Your Holiday Cybersecurity Checklist
Before the calendar flips to December, use this checklist to lock down your architecture firm's IT:
- Create a Two-Person Gift Policy: Require dual approval for any purchases involving gift cards, donations, or client gifting.
- Use the Two-Channel Rule for Financial Changes: Payment updates must be confirmed via phone—not email.
- Enforce Multifactor Authentication: Especially on project management platforms, email, and cloud drives.
- Educate Staff With Real Scenarios: Use industry-specific examples in holiday training (like the BIM file phishing example from 2023).
- Review Vendor Access & Permissions: Ensure vendors and collaborators have the least necessary access to your systems.
The Real Cost to Salt Lake City Architecture Firms
It’s not just about dollars lost—it’s about reputation, relationships, and momentum.
- A data breach can halt design work right before a client deadline.
- Delayed payments can stall construction partnerships and damage trust.
- Even minor scams spike cyber insurance premiums and increase scrutiny from future clients.
The average cost of a successful business email compromise attack in our industry? $128,700. And for design-build firms handling healthcare or government work, that number triples.
The Best Gift You Can Give Your Firm This Year: Cyber Resilience
You didn’t become an architect to stress about server security or phishing emails. Your job is to design, lead, and deliver. But one well-placed scam could throw your entire firm into chaos.
Let’s fix that.
At Qual IT, we specialize in Managed IT Services for architectural firms across Salt Lake City. We understand BIM workflows, Autodesk license headaches, and what it takes to secure multi-office firms without slowing them down.
Want to see how secure (or exposed) your firm really is?
Click here to schedule your free network security assessment.
Because this holiday season, peace of mind isn’t optional—it’s essential.
