Last December, a project coordinator at a mid-sized structural engineering firm in downtown Salt Lake City got a Slack message from her “Director of Ops.” He needed her to grab $2,000 in Amazon gift cards for "client gifts" and send the codes immediately. The message came in the middle of a deadline push, so she acted fast. By the time she flagged it, the real Nathan (yes, that’s our avatar) hadn’t sent it. The scammer had already cashed out, and the team was left sorting out the aftermath during one of the busiest project weeks of the year.
Unfortunately, that’s just the tip of the spear.
In December 2024, a global architecture and engineering firm experienced a far more damaging breach: a series of wire transfers totaling $47 million sent to overseas criminals. It started with a phishing email disguised as a subcontractor invoice. The request looked legit—real logos, a similar domain name, just the right tone. A junior accountant pushed the wire through. Then another. And another.
By the time finance noticed the real vendor hadn’t been paid, it was too late. Months of work. Millions lost. Reputations shattered.
And yet, many engineering firms across Salt Lake City still believe they’re too small or too local to be targeted. Not so.
Gift card scams cost businesses over $217 million last year. Business email compromise (BEC) made up 73% of all major cyber incidents. And the holiday season is the peak time for these attacks. Why? Because everyone’s buried in bids, deadlines, and end-of-year chaos.
5 Holiday Scams Salt Lake City Engineering Firms Must Watch Out For
- "Can You Grab Some Gift Cards?" (The $2,000 Slack Message)
The Scam: Attackers impersonate engineering managers or project leads, asking admins or junior team members to purchase gift cards "urgently."
Why It Works: They spoof email or Slack identities and prey on the fast-moving culture of AEC firms during Q4. Most junior staff won’t question a direct ask from leadership during crunch time.
How to Prevent It: Create a written policy: No gift card purchases without in-person or phone confirmation. Make it clear that no director or principal will ever request them via email or messaging apps.
- Vendor Banking Switch-Ups (The $47 Million Play)
The Scam: You get an email that your plotter lease vendor or BIM subcontractor changed their payment info. Everything looks normal, and it arrives right before invoice deadlines.
Why It Works: Cybercriminals hijack real vendor conversations. They time it around holidays when your AP team is short-staffed or overwhelmed.
How to Prevent It: Always confirm any banking info change over the phone—using the number you already have on file, never the one in the email.
- Fake Shipping or Delivery Notices
The Scam: You get a text or email from "UPS" or "FedEx" about a delayed shipment of plotter paper or an equipment return. There’s a link to reschedule.
Why It Works: Engineering teams often order parts, field laptops, or specialty printing materials. These messages mimic real workflows.
How to Prevent It: Tell staff to bookmark official carrier tracking pages. Never click embedded links. When in doubt, go directly to the site.
- Holiday Party Attachments with Malware
The Scam: Someone sends an email titled "Holiday_Schedule.pdf" or "ClientGiftList.xls." The file is malicious.
Why It Works: Engineering offices often share spreadsheets for internal planning, and staff are less vigilant with internal-looking documents.
How to Prevent It: Disable macros across the board. Scan attachments. Train staff to confirm anything unexpected before opening.
- Fake Charity Drives or "Company Match" Campaigns
The Scam: A fake email or landing page mimics a real charity. It might even claim your firm is running a donation match program.
Why It Works: Firms with strong community ties are especially vulnerable here. These scams prey on team generosity and brand alignment.
How to Prevent It: Publish an internal list of approved causes or matching campaigns. Route all donations through secure, known channels.
Why These Attacks Work (And Why Salt Lake City Firms Are at Risk)
If you’re running AutoCAD or Revit workflows, using Deltek or Bluebeam, sharing large files remotely, and handling subcontractor invoices—you’re a prime target. Cybercriminals know your language. They know your pressures. They know Q4 is when engineering firms are stretched thin.
This isn’t outdated ransomware anymore. These are targeted attacks built from LinkedIn scraping, email monitoring, and deep knowledge of AEC operations.
And too many firms in Salt Lake still treat cybersecurity like a bolt-on feature instead of a core business risk.
Your Engineering-Focused Holiday Security Checklist
Before the year wraps up, here are five things you can do right now:
- The Two-Person Rule: Any financial transaction over $5,000 must be verbally confirmed with two parties. Period.
- Gift Card Lockdown: Publish a no-text, no-email gift card rule. Add it to your onboarding.
- Vendor Payment Verification: Require phone verification for all banking updates. Never trust the email thread.
- MFA Everywhere: Enable multi-factor authentication on all email, cloud, VPN, and design software platforms. No exceptions.
- Pre-Holiday Training: Host a 20-minute lunch-and-learn to walk through these scams. Use real-world examples. Don’t skip this.
The Real Cost for Engineering Firms Isn’t Just Money
Yes, the $47 million loss made international news. But for firms in Salt Lake City, the consequences are often quieter and more personal:
- Lost project momentum in the middle of a bid
- Damaged trust with clients or municipalities
- Staff burnout from cleanup work
- Cyber insurance spikes
- Delays in deliverables during code review or permitting
The average business email compromise costs $129,000. For firms operating on tight margins and project-based cash flow, that could be the difference between growth and layoffs.
Keep Your Salt Lake City Firm Secure Through the Holidays
This time of year should be about pushing final projects across the finish line, not recovering from cyberattacks.
If you're still relying on outdated tech, spotty IT providers, or hope as a strategy, it's time to level up. Your VPN, your files, your cloud access—all need proactive, engineering-specific protection.
Because the reality is simple: One phone call of verification could have saved millions. One blocked attachment could save your Q1 pipeline.
Let’s make sure your firm ends the year strong.
Click here to schedule your free Network Security Assessment with Qual IT.
We'll walk through your systems, policies, and risks—and help you secure your engineering workflows before the holiday rush hits.
