I got a phone call from a trades business owner I know who'd just wired $38,000 to a bank account that didn't belong to his lumber supplier. The email had looked right: the supplier's name, the right logo, a familiar email thread format. The only thing different was the account number, buried in a paragraph at the bottom of a professional-looking invoice.
He called the supplier about something else two days later and the fraud came out. The money was gone. The bank couldn't recover it. The police report was filed and went nowhere.
He called me because he needed to talk it through, and the first thing he said was: "I thought we were too small for this to happen to us." That's the exact belief that got him there.
Why Small Means Exposed, Not Safe
The idea that a small business is too small to be worth a criminal's attention is one of the most expensive misconceptions in the trades. It comes from a mental model of hacking that looks like a bank heist — a sophisticated criminal picking a specific vault worth robbing. That's not how most small business fraud works.
Most of it is automated. Bots probe email inboxes and login pages continuously. Phishing kits get deployed across thousands of addresses at once. The crews who specialize in wire fraud build lists of small businesses by scraping supplier relationships from public sources — websites, LinkedIn, permit applications — and send spoofed invoices to every business on the list. A five-person shop with no IT policy isn't off the radar. It's an easier hit than the large enterprise, because the enterprise has a security team and the small shop has a shared password that hasn't changed in three years.
"The small trades company isn't less of a target than the large enterprise. It's an easier one."
The attack that hit my contact isn't rare. Wire fraud through spoofed supplier invoices is one of the most common forms of financial crime aimed at small businesses in Canada right now, and construction and trades companies are overrepresented on the victim list. The volume and frequency of supplier transactions is high, and the verification habits are usually loose. The fraudsters know this. The number of attempts pointed at trades businesses reflects it.
The Three Actual Vulnerabilities
There's a tendency to think about cybersecurity in terms of exotic technology: zero-day exploits, dark-web marketplaces, nation-state actors. That story is mostly irrelevant to a five- to twenty-person trades operation. The vulnerabilities that actually expose a small construction business are mundane, and almost all of them are human.
The first is credential sharing. When the office email password is "company2019!" and that same password opens the banking login, the project management software, and the supplier portal, a single successful phishing attempt hands an attacker the keys to everything. Password reuse is the most underestimated risk in small business security, because it turns one compromised login into a master key.
The second is phishing susceptibility. The emails that catch people aren't obviously fake anymore. They're well-formatted, they reference real vendors and real relationships, and they land at the moment the recipient is busy and not scrutinizing anything carefully. An accounts-payable habit of processing invoices quickly — because that's how you keep suppliers happy — is exactly what a well-timed fake invoice exploits. The job that cost me $22,000 came down to financial exposure that opened up where a process step got skipped. The same logic applies here: the exposed moment is always the one where the process breaks down.
The third is unprotected devices. A laptop that leaves the job site with no encryption and no remote wipe is a physical breach waiting to happen. Laptops get stolen out of trucks. Phones get lost. A device with unencrypted access to company email and banking is a full credential exposure the moment someone capable gets their hands on it. This one is genuinely easy to fix and almost universally neglected.
"The vulnerabilities that actually expose small trades businesses are mundane. They're not exotic hacks — they're the moments where the process breaks down."
What Actually Fixes It
This is the part that surprises most owners when I walk through it with them: the fixes aren't expensive, they aren't technically complex, and most of them can be done in an afternoon with the right focus.
A password manager — 1Password and Bitwarden are both solid — solves the credential-reuse problem cleanly. Every account gets a unique, strong password. The team doesn't have to remember them; the manager does. Setup takes a couple of hours and the ongoing habit takes seconds per login. The business running on a password manager is not the same risk profile as the business sharing a Google Sheet full of logins, which I have genuinely seen more than once.
Two-factor authentication on email and banking accounts adds a second layer that stops the most common attacks cold. Even if a password leaks, the attacker can't get in without the second factor — usually a code sent to a phone. It takes about fifteen minutes to enable on most platforms and is probably the single highest-ROI security step any small business can take. Not having a system always carries a cost, and it usually lands on the owner — the same slow way the business quietly turns you into its own bottleneck. Two-factor is one case where the downside of no system is unusually clear and unusually financial.
The invoice verification policy is the one I push hardest, because it's the direct defence against wire fraud. The policy is simple: any invoice that arrives by email asking you to pay a new account — or any payment instruction that deviates from your normal pattern with a supplier — gets verified by a phone call to the supplier using a number from your existing records. Not the number in the email. Not a reply to the email chain. A call to the supplier's known number. That call takes two minutes and it is definitive protection against the exact attack that hit my contact for $38,000.
Encrypted devices with remote wipe are the last piece. On company phones this is usually already handled if you're on a modern iPhone or Android with a PIN and remote find turned on. On laptops it means turning on BitLocker (Windows) or FileVault (Mac). Both are built into the operating system. Both are off by default. Turning them on takes five minutes.
The Team Conversation You're Avoiding
The part most owners skip is having the actual conversation with their team. Software won't fix people problems, and cybersecurity is mostly a people problem. The password manager is useless if half the crew isn't using it. The invoice verification policy doesn't protect you if the person who processes invoices doesn't know it exists or has never been shown what a spoofed invoice looks like.
This doesn't have to be a formal training session. It needs to be a thirty-minute conversation with whoever touches email, invoices, and payments, where you walk through what phishing looks like in practice, show an example of a spoofed invoice (they're easy to find publicly), and make clear that verifying a payment by phone before it goes out is not optional — even when the request looks legitimate. Especially when it looks legitimate. Done right, that becomes one of the standards your crew actually operates by instead of a policy nobody remembers.
If it lives in someone's head, it's a risk — and a security policy that exists only in the owner's head is no policy at all. Write it down. Put it where the people who need it can find it. Make it part of onboarding for anyone who will ever touch company money.
The Version Without the Afternoon Investment
I want to be honest about what happens if you don't do this work. Not as a scare tactic — because the math is clarifying.
The owner who lost $38,000 would have happily spent an afternoon setting up a password manager and briefing his team on invoice verification. He'd have happily spent five dollars a month per user on 1Password. He'd have happily spent thirty minutes on a team conversation about phishing. He didn't do any of it, because he didn't think he was a target and because none of it felt urgent until it was far too late.
The core steps take less than an afternoon. What they require is treating the risk as real before the incident instead of after it. The same logic applies to any system worth building: the ones that protect you are only valuable when they're in place before you need them, not after.
The Bottom Line
You don't need a managed security service. You don't need a dedicated IT department. You need four things: a password manager, two-factor authentication on your critical accounts, a clear invoice verification policy, and encrypted devices with remote wipe enabled. Those four things cost almost nothing to put in place and they address the attack vectors that actually hit small trades businesses.
The contractor who loses $40,000 to a spoofed supplier invoice will tell you the afternoon would have been worth it. Take the afternoon before you're the one saying that. If you want to talk through a practical security checklist for your specific operation, that's the kind of operational conversation I have regularly with trades and construction owners through my construction business coaching.
Get The Builder's Playbook in your inbox
A short note from Eddy with a link to each new post — every two weeks, nothing else.
No spam. Unsubscribe with one click any time. Privacy policy.