The Phishing Emails Targeting Architecture and Engineering Firms
Fake Autodesk invoices, impersonated vendors, and wire fraud requests are aimed at small AEC offices specifically. Staff don’t recognize them because they look legitimate.

The email looks normal. An Autodesk invoice that needs paying. A note from a consultant you work with, asking you to update their bank details. A quick message from the owner: “Can you wire this today? I’m in a meeting.” Nothing about it screams danger. So someone clicks, or pays, and the money is gone.
This is not random spam. Attackers aim these emails at small architecture and engineering offices on purpose. They know your firm moves real money, trusts its vendors, and does not have a security team. That makes you a good target.
Here is the short version. Small AEC firms get hit with phishing emails built to look like the real thing: fake Autodesk invoices, messages from impersonated vendors asking you to change payment info, and urgent wire requests that look like they came from your boss. They work because they look legitimate, not because your staff is careless. The defense is simple but firm: slow down on anything involving money, verify payment changes by phone using a number you already have, turn on MFA everywhere, and make “we always call to confirm” a rule. Proactive habits beat one expensive mistake.
Let us walk through the scams you are most likely to see, how to spot them, and what to do.
Why your firm is a target
First, the honest part. You might think your firm is too small to bother with. The opposite is true. Attackers go after small firms on purpose, because small firms move real money and rarely have strong defenses. You are a small fish, but the pond is full of people fishing.
Architecture and engineering firms are hit especially hard. You pay consultants, vendors, and subs. You send and receive invoices all day. You trust the people you work with. Attackers know all of that, and they use it. This is what we call business email compromise (BEC, scams that use fake or hacked email to trick a firm into sending money or data). It is one of the costliest scams out there, and construction and engineering are among the most targeted.
So this is not a knock on your team. It is the reality of being a firm that handles money in an industry criminals have learned to mimic.
They work because they look legitimate, not because your staff is careless.
Scam 1: The fake Autodesk invoice
This is the one almost every firm sees. An email shows up that looks like it is from Autodesk. An invoice is due. Your subscription needs renewing. Click here to pay or your software stops.
Here is how it tricks people. It uses the Autodesk name and look. It creates urgency, because nobody wants Revit to shut off mid-deadline. And it sends you to a fake page that either steals your login or takes a payment.
For example, let’s say the email says “Your invoice is ready for review” with a button or a QR code. You click, and you land on a page that looks like a Microsoft or Autodesk sign-in. You type your password. Now the attacker has it. That fake-login trick is the heart of most of these. Autodesk itself warns about these scams and says it only contacts you through official channels.
The tells. Pressure to pay right now. Payment by wire, gift card, or crypto. A deal or discount that is not on the real Autodesk site. A link or QR code instead of your normal account page. You should never pay or log in from an email link. Go to your Autodesk account directly, in your own browser, and check there.
Scam 2: The impersonated vendor and the changed bank account
This one is quieter and more expensive. It targets the way your firm pays the people it works with.
Here is the play. A vendor, consultant, or sub you already work with sends an email: “We’ve updated our banking. Please send future payments to this new account.” The email looks like it came from your real contact. The logo is right. The tone is right. So accounting updates the account and pays the next invoice. The money goes straight to the attacker.
Sometimes the attacker has actually broken into the vendor’s email, so the message really does come from their address. Sometimes they just imitate it with a lookalike. Either way, the request feels normal, because changing bank info does happen in real business.
This is the scam that drains the most money from firms like yours, because the amounts are large and the request looks routine. You should treat any change to payment details as a stop sign, every single time.
Scam 3: The urgent request from the “owner”
The third one preys on hierarchy and helpfulness. An email or text comes in that looks like it is from the owner or a principal. “I need you to wire this today. I’m tied up and can’t talk. Keep it between us for now.”
It works because people want to help the boss, and the urgency shuts down second-guessing. The “keep it quiet” part is the giveaway. It is designed to stop the one thing that would catch it: a quick check with someone else.
For example, let’s say a new bookkeeper gets this on a Friday afternoon. The boss is “unreachable.” The request is urgent and confidential. That pressure is the whole trick. A real owner will not mind a phone call to confirm. An attacker is counting on you not making one.

How to spot them: the common threads
You do not need to memorize every scam. They share a handful of signs.
They push urgency. Pay now, sign now, before something bad happens. Real business rarely needs you to skip every check.
They involve money or logins. A payment, a bank change, a password, a sign-in. Anything touching money or access deserves a second look.
They change the normal process. A new account, an unusual payment method, a link instead of your usual portal, a request to keep it quiet.
They lean on trust. They wear the face of a brand you use, a vendor you know, or a boss you answer to. The familiarity is the weapon.
When you see those threads together, slow down. Urgency plus money plus a changed process is the shape of almost every one of these.
What to do about it
Here is the plan. None of it is complicated, and together it stops nearly all of these.
Verify payment changes by phone, always. This is the big one. Any request to change bank details or send an unexpected wire gets confirmed by a phone call, using a number you already have for that person, not the number in the email. This is what we call a callback rule, and it is the single best defense against vendor and wire fraud. Make it a firm policy, not a judgment call.
Turn on MFA everywhere. Multifactor authentication (MFA, a second step to log in beyond your password) means a stolen password is not enough to get into your email or accounts. If an attacker phishes a password, MFA still blocks them. We cover this in our post on what small firms get wrong about passwords.
Never log in or pay from an email link. Go to the real site yourself, in your own browser. For Autodesk, open your account directly. For a bank, type the address you know. Links and QR codes in emails are how the fake pages get you.
Slow down on anything urgent about money. Urgency is the trick. You should give yourself permission to pause, check the sender’s real email address, and confirm before acting. A five-minute delay has never lost a firm a real deal. It has saved many from a fake one.
Train the whole team, and make it safe to ask. Everyone who touches email or money should know these three scams. And nobody should ever feel dumb for double-checking. The firms that get burned are the ones where people were afraid to question an “urgent” request.
If money already moved, act fast. Time matters. Call your bank immediately to try to stop or claw back the transfer, and report it to the FBI at ic3.gov. Reporting a fraudulent wire within about 72 hours gives the best chance of recovering the funds.
Frequently asked questions
We will help you shut these down
You should not have to be a security expert to keep your firm’s money safe. The fixes here are mostly habits and a few settings: MFA turned on, email filtering that catches the fakes, and a simple callback rule everyone follows. The hard part is setting it up right and making it stick.
We help small architecture and engineering firms around Knoxville lock down email, turn on the right protections, and train staff to spot these scams. So your team can focus on the work, not on second-guessing every invoice.
If these emails are showing up in your inboxes, give us a call. We will tighten things up before one of them costs you. For the bigger security picture, see our post on answering a cyber insurance questionnaire.
Key takeaways
- Small AEC firms are targeted on purpose with three main scams: fake Autodesk invoices, impersonated vendors asking you to change bank details, and urgent wire requests that look like they came from the owner. They work because they look legitimate, not because your staff is careless.
- They share a pattern: urgency, something involving money or logins, a changed process, and a trusted face. When you see those together, stop and verify before you act.
- The defense is mostly habits. Confirm every payment change by phone using a number you already have, turn on MFA, never pay or log in from an email link, and if money already moved, call the bank and report to ic3.gov within 72 hours.
Would your staff spot a fake Autodesk invoice?
We lock down email, turn on the right protections, and train your team to spot these scams before they cost you. No obligation, no sales pitch.
Sources: FBI: Business Email Compromise, Autodesk Security Advisory: General Scam Warning (2025), Top Industries Vulnerable to Business Email Compromise in 2025 (StrongestLayer)

