The Phishing Email That’s Targeting Your Project Managers Right Now

The gap between what phishing awareness training prepares people to recognize and what phishing emails currently look like has widened significantly. AI tools have made it trivially easy to generate grammatically correct, contextually accurate email content at scale. The intelligence gathering that used to require manual research now happens automatically, a targeting package on a Sacramento-area GC can be assembled from public sources in minutes. The result is a class of phishing attacks that does not look like phishing to the people who receive them, because it is written in fluent English, references real information, and arrives from a sender address that is plausibly correct.

This post explains how these attacks are built, what they look like in practice, and what the controls that actually reduce your exposure look like. The phishing threat construction firms face in 2026 is not a mass-market email with an obvious mistake. It is a targeted, contextually accurate, professionally written message that your most experienced people can and do click, not because they lack intelligence, but because the attack was specifically designed not to look suspicious to them.

Traditional phishing training teaches recognition of obvious signals: grammatical errors, unexpected urgency, generic salutations (“Dear Valued Customer”), suspicious links, and mismatched sender domains. These signals are present in commodity phishing that targets broad populations, the mass-market attacks that try to catch anyone who clicks.

Construction firms are not being targeted with commodity phishing. They are being targeted with spear phishing, attacks built specifically around their organization, their projects, and their personnel. These attacks are designed to pass the exact checks that training programs teach. The attacker knows the project manager’s name, the real project number, the actual subcontractor who needs payment, and the legitimate timeline for that payment. A generic training example about spotting misspelled sender addresses provides no protection against an email that arrives from a sender domain that is identical to the real one except for a single character.

The result is that your most experienced staff (the ones who have been through phishing training and should be most alert) are the exact people being targeted, because they have the authority to approve payments and the context to understand why a particular request makes sense.

The intelligence needed to write a convincing construction phishing email is not behind any security perimeter. It is publicly available, and the process of assembling it has been automated by tools that cost very little to run. Here is how the targeting package gets built:

• Step 1: Identify the firm: company website, LinkedIn company page, CSLB license lookup. This reveals company size, license type, key personnel, and service areas.
• Step 2: Map the personnel: LinkedIn profiles of project managers, estimators, accounting staff. Names, roles, relationships with other firms, recent project activity.
• Step 3: Identify active projects: public building permit records (Sacramento County, Placer County, El Dorado County), LinkedIn project announcements, project portfolio pages on the company website.
• Step 4: Map subcontractor relationships: bid tabulations from public agency projects, lien releases filed with county recorder offices, subcontractor tags in LinkedIn posts.
• Step 5: Generate the attack email: AI writing tools produce a professional email that references the real project, the real sub, the real PM by name, and ties the request to a believable context (payment update, document request, schedule change).

The difference between a phishing email that looks fake and one that looks legitimate is not technical. It is information. Here is a real-world scenario based on attacks we have seen against Sacramento-area firms:

Nothing in this email is obviously wrong. The project name is real. The milestone reference is plausible, a GC pushing toward MEP rough-in is a normal conversation. The subcontractor name is correct. The request is a task that happens regularly on any significant project. The signature includes a real name found on LinkedIn. The only tell is the sender domain, one character different from the real domain (sierra-mechanical-grp.com instead of sierramechanical.com). Most recipients do not check sender domains character by character when they are reading an email about a project they are actively managing.

The recipient forwards the W-9 and banking information to accounting. Accounting updates their records. The next requisition payment gets wired to the attacker’s account instead of the real subcontractor’s account. The real subcontractor follows up two weeks later asking where their money is. By that time, the fraud is discovered, the wire is traced, and the damage is done, but the money is gone.

The technical controls and process controls that reduce your risk against targeted phishing operate at different layers. They do not eliminate the risk, no defense catches 100 percent of attacks. But they make your organization a harder target and ensure that a click does not automatically result in a fraudulent payment.

Email authentication on your own domain: DMARC, DKIM, and SPF properly configured prevent attackers from spoofing your domain, protecting your vendors and subs who might be targeted on your behalf. It does not prevent attackers from using lookalike domains, but it does prevent spoofing of your domain specifically. If your accounting and project management teams know that any legitimate request from your domain will have proper DMARC authentication, they can at least verify that external emails claiming to be from your company are actually from you.

Lookalike domain monitoring: Services that alert you when domains similar to yours are registered provide advance notice that a targeting operation may be underway against your firm or your subs. If you learn that sierra-mechanical-grp.com has been registered, you can immediately notify your subs, your accounting team, and your IT provider that a lookalike is in active use.

Process controls on payment and banking changes: The technical controls above reduce exposure; the process control that most reliably stops payment fraud is the out-of-band verification call. Any request to change banking or routing information must be verified by phone using a number from existing records, not the number or email in the request. This single control stops most payment fraud, because an attacker can send an email but cannot answer when your accounting team calls the sub’s number from the existing Rolodex.

Phishing simulation using construction-specific scenarios: Training that uses realistic construction phishing scenarios (not generic examples of misspelled emails) builds recognition for the actual attack patterns being used. Your staff cannot be trained to spot something that has been specifically designed to look legitimate. But they can be trained to follow the process controls (verify payment changes by phone) and to report suspicious activity immediately.

Incident reporting culture: Staff need to know that clicking a suspicious link is not a career-ending event if reported immediately. The faster a click is reported, the more options exist for containment, the email can be quarantined, the credentials can be revoked, the device can be isolated. Fear of reporting is more dangerous than the click itself. If staff hide a click to avoid getting in trouble, the attacker has time to move laterally.

No technical control catches 100 percent of targeted spear phishing. DMARC stops domain spoofing. Secure email gateways filter known malicious links and attachments. EDR catches malicious payloads on the endpoint. None of these stop a well-crafted email from a lookalike domain that contains no malicious links, only a request for a wire transfer and some documents.

The goal is layered defense: make it harder to target your firm, detect attempts earlier, and have the process controls in place so that even a successful click does not automatically result in a fraudulent payment. A single click is not a catastrophe if your endpoint protection is running, the staff member reports it immediately, and your incident response process kicks in within the hour. What makes a click catastrophic is when it leads to a payment that has already been processed or credentials that have already been used.

The firms that suffer the most damage from phishing are the ones that discover the attack weeks after it happened, after the wired funds have been moved, and after the attacker has used stolen credentials to access systems that should have been protected. The firms that contain the damage quickly are the ones with immediate reporting channels and process controls that slow down any unauthorized payment or system access.