Last December, a project coordinator at a mid-size general contractor in Salt Lake City got a text from his “Operations Director”: "Need $3,000 in gift cards for project vendor appreciation. Send the codes ASAP."
It was peak holiday madness—RFIs were piling up, and bids were due in 48 hours. The coordinator didn’t question it. He bought the cards, scratched off the backs, and sent the codes.
By the time the scam was flagged, the money was long gone. No one ever asked for gift cards. The sender wasn’t his boss. And the company had just become another victim of a construction-specific cyber scam.
But that was just the warm-up.
That same month, a global engineering firm lost over $60 million after falling for a wire fraud scam disguised as a subcontractor invoice. They approved multiple fake transfers during year-end payment cycles—and didn’t catch it until weeks later.
If you think your construction company in Salt Lake City is too small or too smart to fall for these traps, think again.
Gift card scams alone cost U.S. companies over $217 million in 2023. And Business Email Compromise (BEC) attacks accounted for 73% of all cyber incidents in 2024.
For the construction industry, the holiday season is open season for cybercriminals. Projects are wrapping, teams are stretched thin, and leadership is out of the office. That’s when the bad actors strike.
5 Holiday Scams Your Construction Crew Needs to Spot (Before It Delays Your Next Pour)
- "Your PM Needs Gift Cards" (The $3,000 Text Trap)
The scam: Impersonators pose as Project Managers, Superintendents, or Executives asking for gift cards to give to field crews or clients.
Why it works: The sender’s name shows up correctly thanks to email spoofing or compromised cell numbers. And in the rush of year-end scheduling chaos, who has time to double-check?
How to stop it: Create a no-exceptions gift card policy requiring two-person sign-off and verbal confirmation. Let your team know: real leadership doesn’t ask for cards via text.
- Vendor Wire Transfer Scams (The Big Money Play)
The scam: Fraudsters send updated payment instructions, posing as your drywall sub or electrical supplier—right as final invoices are due.
Why it works: Construction vendors often have different banking info for different projects. When an email pops up asking to "update records," it doesn’t always raise red flags.
How to stop it: Require verbal confirmation of all bank detail changes, using contact info already on file. Enforce a call-for-verification rule on any transfer above $5,000.
- Fake FedEx/UPS Tracking Links
The scam: Emails or texts pretending to be delivery updates with links to reschedule.
Why it works: With tools, parts, and materials constantly in transit, your admins and site teams are trained to respond fast.
How to stop it: Bookmark carrier tracking pages and train staff to use them instead of clicking email links. This single habit can save you from malware installs.
- "Holiday Party" Attachments That Drop Malware
The scam: Emails with innocent-looking attachments labeled "Holiday_Schedule.pdf" or "Party_List.xls" that launch malware when opened.
Why it works: Field and admin teams are flooded with updates and invites this time of year. One click on a spreadsheet can open the door to ransomware.
How to stop it: Disable macros company-wide. Run attachments through endpoint security tools. And train your team: if you weren't expecting it, verify it.
- Bogus Charity Drives
The scam: Fake donation campaigns pop up through spoofed emails, pretending to be from HR or safety departments.
Why it works: Construction firms love giving back during the holidays. Scammers exploit this goodwill with lookalike websites and fraudulent "company match" programs.
How to stop it: Circulate an official list of approved causes. Ensure all donations go through vetted, secure portals.
Why These Attacks Work (And Why Salt Lake Construction Firms Are in the Crosshairs)
Cybercriminals don’t need to hack your systems. They just need one distracted PM, overworked AP clerk, or trusting foreman to click the wrong link.
These are not old-school spam scams. They are tailored, social-engineered attacks built around how your company works—from Procore workflows to wire transfers for equipment vendors.
Construction firms in Salt Lake City are especially at risk:
- Dispersed teams: Field-to-office communication gaps mean attackers can slip through unnoticed.
- Rapid growth: With new projects and hires, it's harder to enforce standardized security protocols.
- Limited IT support: Many construction companies have lean or outsourced IT, making proactive defense challenging.
Yet here’s the good news: simple changes can drastically reduce your risk.
Your Salt Lake City Jobsite Cybersecurity Checklist (Holiday Edition)
Before holiday PTO kicks in, here are 5 steps you should take today:
- Enforce the Two-Person Rule
All financial transactions or banking changes over your chosen limit (ex. $5,000) must be confirmed by a second person via a different communication channel.
- Publish a No-Text Gift Card Policy
Make it clear: no gift card requests will be honored unless verbally confirmed. No exceptions.
- Train Teams on Wire Fraud Tactics
Use real examples from the field. Show your PMs, AP staff, and admins how these scams actually play out.
- Turn On Multifactor Authentication
Require MFA for email, Procore, ERPs, BIM tools, and any cloud-based project data.
- Run a Holiday Cyber Awareness Huddle
Before December hits, gather the team for a 30-minute refresher. Show screenshots, review threats, and build a culture of verification.
The Real Cost? It’s Bigger Than Money
Yes, a cyberattack can cost six figures in direct losses. But for Salt Lake City construction firms, the ripple effects are even worse:
- Permits delayed because access to compliance files was blocked.
- Field crews idle while systems are down.
- Client trust lost due to data exposure.
- Increased cyber insurance premiums (if you even had coverage to begin with).
The average business email compromise attack now costs $129,000. But during your busiest quarter, the cost of delay alone could be double that.
Stay Secure and On Schedule This Holiday Season
The holiday rush should be about finishing strong and celebrating wins—not scrambling to recover from a preventable cyberattack.
A simple phone call could have saved that $60 million wire fraud.
A 15-minute policy update could have blocked that $3,000 gift card scam.
And a quick team huddle could be the difference between a secure December and a security disaster.
Want to make sure your Salt Lake City construction company is ready?
Click here to schedule your free Cybersecurity Network Assessment.
Because the best gift you can give your business this year is peace of mind—and projects that finish on time.
