APRIL IS OVER. THE SCAMS DIDN’T LEAVE WITH IT.

APRIL IS OVER. THE SCAMS DIDN'T LEAVE WITH IT.

April Fool's jokes disappear overnight.
The mistakes that shut down jobsites don't.

Spring is when construction moves faster. More subcontractors. More invoices. More files moving between the trailer and the office. Phones buzzing while someone's walking a site trying to keep work moving.

That speed is exactly what today's scams are built for.

If your security depends on people always slowing down, spotting the trick, and making the perfect decision under pressure, you don't have a people problem.

You have a control problem.

And every control has an owner.

THE NEAR‑MISS THAT SHOWS WHERE THIS ACTUALLY BREAKS

Earlier this spring, a Utah construction firm narrowly avoided a full account takeover.

A project manager received an email saying a document was ready for review. It referenced a real project. The timing made sense. The message looked professional. He clicked and entered his login.

Within minutes, someone attempted to access the company's cloud system from another state.

The only reason it didn't turn into a shutdown was because one control happened to be enforced: the login required approval from a known company device. The attacker was stopped automatically.

No training saved them.
No "good instincts" saved them.
One enforced control did.

That same scenario turns into a breach every week when that control doesn't exist or no one owns it.

SCAM ONE: THE TOLL, PARKING, OR "SMALL FEE" TEXT

A superintendent gets a text saying they owe a small toll or parking balance. Six dollars. A real‑sounding system name. Perfect timing between meetings.

They tap, pay, and move on.

Except the link wasn't real.

What actually failed wasn't awareness. It was that company phones had no enforced rules about what links could be opened or where payments could happen.

The control that stops this is simple: a written rule that no payments ever happen through text links, enforced on company phones using mobile device management. That software limits what sites and apps company devices can access so one rushed tap can't cause damage.

Finance owns the rule.
IT owns enforcement.

When no one owns it, the scam wins.

SCAM TWO: "YOUR FILE IS READY"

This hits project managers constantly.

An email says a contract, change order, or signature request was shared. The sender name looks right. The formatting looks right.

They click. They log in.

Now someone else has their credentials.

The failure point is open external file sharing combined with weak or inconsistent multi‑factor authentication.

The control that stops it is conditional access, meaning logins are only allowed from approved devices and locations, paired with email filtering that quarantines unexpected file‑share notifications.

IT owns the technical enforcement.
Operations owns the rule that unexpected files get opened by logging into the platform directly, never from the email.

SCAM THREE: THE EMAIL THAT'S WRITTEN TOO WELL

Modern phishing doesn't look sloppy anymore.

It's calm. Professional. Specific.

Finance receives payment change requests. HR receives verification notices. Everything looks routine until money or data is gone.

The break happens anytime money, credentials, or sensitive data are approved using email alone.

The control that stops it is a second‑channel verification requirement. A phone call or in‑person confirmation before any payment or banking change.

Finance owns verification.
Leadership enforces compliance.

THE MINIMUM ACCEPTABLE SETUP WITH NAMED OWNERS

This is not a wish list. This is the floor.

No payments or credential entry through text links, owned by Finance for the rule and IT for enforcement.
Company mobile devices actively managed and restricted, owned by IT.
External file sharing restricted by default, owned by IT.
Multi‑factor authentication enforced with device and location checks, owned by IT.
Second‑channel verification required for payment or data changes, owned by Finance.
Alerts enabled for unusual logins and new devices, owned by IT.

If any item has no named owner, that risk is active, not theoretical.

HOW THIS WILL BE JUDGED WHEN SOMETHING GOES WRONG

When an insurer, auditor, or attorney reviews a breach, they don't ask whether your employee meant well.

They ask who owned the control, whether it was documented, whether it was enforced, and why one click had the power to cause damage.

Security is judged on controls, not intentions.

HOW AN EXECUTIVE VERIFIES THIS IS ACTUALLY DONE

You don't need to understand the technology. You need proof.

Ask IT to show you a list of company phones that are actively restricted, a screenshot of login requirements tied to approved devices, a written payment‑verification rule with named owners, a log showing alerts for new or unusual logins, and confirmation that external file sharing is limited by default.

If they can't show it, it doesn't exist.

WHAT TO DO IN THE NEXT SEVEN DAYS

Pick one real workflow such as invoice approvals, file sharing, or company phones.

Walk through it using the minimum setup above. Assign owners. Fix one gap this week.

Do not turn this into training.
Turn it into enforcement.

DIRECT ACTION

Fix this now.

Reach out to 911 IT right now and verify these controls before one rushed click turns into a job shutdown. This is straightforward, fast, and prevents much bigger problems later.