AEC Firms: The Email That Could Reroute Your Next Project Payment

AEC Firms: The Email That Could Reroute Your Next Project Payment

Picture a normal week on an active project. A vendor you have worked with for months sends a quick note that their banking information has changed and asks you to send the next payment to the updated account. The email looks completely normal. It comes from the right person, references the right project, and arrives right when a payment is due. So someone on your team updates the details and sends the money.

Except the email did not come from your vendor. It came from a criminal who had been quietly reading the conversation, waiting for the right moment. By the time anyone notices, a large project payment is gone, and it is very hard to get back.

This is called business email compromise, and for engineering and architecture firms it is one of the most expensive risks out there. The FBI reports that these scams drove more than three billion dollars in reported losses in a single recent year, second only to investment fraud, and that the large majority of that stolen money moved by wire or ACH transfer. Here is why your industry is such a target, and what actually stops it.

Why Engineering and Architecture Firms Are Prime Targets

Criminals follow the money, and few industries move money by email quite like yours.

A single project pulls in owners, engineers, architects, general contractors, subconsultants, suppliers, and lenders, all coordinating through email. Payments are large and frequent. Draws, progress payments, change orders, retainage, and vendor invoices move on a schedule everyone can see coming. New subconsultant and vendor relationships start all the time, so a banking-change request does not feel unusual. And the pressure of deadlines means people act quickly to keep a project moving. That combination of big dollars, many parties, predictable timing, and urgency is exactly what these scams are built to exploit.

How the Scam Actually Works

These attacks almost always start quietly, often with a convincing phishing email designed to look completely legitimate that tricks someone into entering their login on a fake page.

Once the criminal has access to an email account, they do not rush. They read. They learn who pays whom, how invoices are worded, which projects are active, and when payments are due. Then they wait for the right moment and send a message that fits right into the conversation, usually a request to update banking details or a fake invoice that looks just like the real ones. Because it matches everything that came before it, it sails past the normal gut check. Today these messages are more convincing than ever, since attackers can use AI to mimic a real person’s writing style and even clone a voice for a follow-up phone call.

The risk also reaches beyond the payment. While an attacker is sitting inside an email account, they can read everything in it, including confidential client information, proprietary designs, and project details that have not been made public, along with bid and contract figures. For engineering and architecture firms, where protecting a client’s private information is part of your professional reputation, that exposure can be just as damaging as the money itself.

Why the Money Is So Hard to Get Back

The reason wire fraud is so devastating is speed. Wire and ACH transfers move fast and are difficult to reverse once they land in the criminal’s account.

By the time someone realizes the payment went to the wrong place, the funds have often already been moved again and scattered. Recovery is sometimes possible, but only if you act within hours, not days, by alerting your bank and reporting it immediately. That is a terrible position to be in on a six-figure project payment, and it is why prevention matters so much more than reaction here.

What Actually Stops It

The good news is that this is one of the most preventable cybercrimes there is. A few straightforward habits stop the large majority of it.

  • Verify every change. Any request to change banking details or payment instructions gets confirmed by a phone call to a known, trusted number, never the number in the email.
  • Make verification a written rule, not a judgment call. Everyone who can send a payment should follow the same steps every time, so it does not depend on who happens to be having a busy day.
  • Require a second set of eyes. Large or unusual payments should need a second person to approve them.
  • Protect the email accounts themselves. Multi-factor authentication on email makes it far harder for an attacker to get in and start watching in the first place.
  • Train the team to know the red flags. Urgency, a new account, a slightly different email address, and pressure to keep it quiet are all warning signs worth pausing on.

It is also worth knowing that cyber insurance carriers increasingly expect these kinds of verification controls to be in place, and may look closely at them after a claim.

This Is a Core Part of What We Do at My Tampa IT

Stopping payment fraud is part technology and part process, and we help with both.

On the technology side, we layer several protections around your email so an attack is caught early or stopped before it ever starts.

  • Scanning and filtering incoming email to keep malicious messages out of the inbox in the first place.
  • Flagging messages that come from external senders, so a spoofed vendor or impersonator stands out instead of blending in.
  • Watching for the warning signs of a compromised account, such as new forwarding rules quietly created to hide an attacker’s activity.
  • Detecting malware and intrusion attempts that could open the door to begin with.
  • Requiring multi-factor authentication on email, so a stolen password alone is not enough to get in.

On the process side, we help your team build the simple verification habits that stop a fraudulent request cold, and we provide ongoing security awareness training so your people can recognize these scams when they appear. It is part of how we help engineering and architecture firms run securely and win more work. The goal is straightforward. We want the money your firm moves to land where it is supposed to, and the confidential information in your inbox to stay confidential.

For Tampa Bay Engineering and Architecture Firms

In an industry built on relationships and reputation, one rerouted payment does more than cost money. It strains the trust between you, your clients, and your partners, and it can stall a project at the worst possible time.

Protecting your firm here is less about having the most advanced technology and more about consistency. The firms that handle it well have steady verification habits and the right safeguards working quietly in the background, so a convincing email never becomes a costly mistake.

Ready to Protect Your Next Project Payment?

At My Tampa IT, we help Tampa Bay engineering and architecture firms keep their email secure and their payments safe, with the technology and the everyday habits that stop fraud before money ever leaves your account. If you want to make sure your firm is protected, let’s talk. Contact My Tampa IT for a conversation about your risk.

In the meantime, our free Wire Fraud Prevention Checklist is a quick way to see whether your team has the right safeguards in place before your next payment goes out.

Frequently Asked Questions

Is this something we can really prevent, or just hope to avoid?2026-07-07T22:42:10-04:00

You can prevent the large majority of it. A written verification process, a phone-call confirmation for any banking change, multi-factor authentication on email, a second approver for large payments, and a trained team together stop almost every version of this scam. It is very achievable for a firm your size.

What should we do if a payment has already gone to the wrong account?2026-07-07T22:42:02-04:00

Move fast. Contact your bank immediately to try to recall or freeze the transfer, and report it to the FBI at ic3.gov as soon as possible. Recovery chances drop sharply by the day, so the same-day response is what gives you the best shot at getting the money back.

Our vendor really did change banks. How do we handle that safely?2026-07-07T22:41:42-04:00

Treat every banking change the same way, even the legitimate ones. Before you update anything, call the vendor at a phone number you already have on file, not one from the email requesting the change, and confirm it directly. A real vendor will never mind the extra step, and that one phone call is what stops the fraud.

We are a small firm. Are we really a target?2026-07-07T22:41:25-04:00

Yes, and often more so. Smaller engineering and architecture firms move large project payments but usually have fewer controls around them than a big company would. Criminals know that, which makes a busy small firm an appealing and realistic target.

How is this different from regular spam or phishing?2026-07-07T22:40:50-04:00

Phishing is often the first step, but business email compromise goes further. The criminal uses that access to study your real conversations and then impersonate a trusted vendor, partner, or executive at exactly the right moment. Because the request fits the context perfectly, it is far more convincing than a generic scam email, which is what makes it so effective and so costly.

Get In Touch!

You’ve got questions. We’ve got answers.

Let’s start the conversation about your IT support needs.

Name *

Protect your assets with top-tier cyber security solutions. Book a brief introductory call now to learn how we can safeguard your digital environment.

Go to Top