In June 2025, UK police exposed a sophisticated new scam that weaponised ordinary technology. A man driving a black Honda CR-V in London had concealed an SMS blaster in his boot – a device that mimics a mobile phone tower to send thousands of fraudulent texts at once. The messages looked as though they came from HM Revenue & Customs, urging recipients to click a link to claim a tax refund. Victims who trusted the text found themselves handing over personal data and financial details directly to criminals. (The Guardian)

This type of attack is known as smishing – SMS phishing and it is spreading quickly worldwide. Unlike email phishing, which many firms now filter effectively, smishing bypasses those defences and strikes where people feel most secure: their personal and work phones. For AECMM firms, where mobile devices are critical for coordinating suppliers, contractors, and teams across job sites, the implications are serious. A single malicious text could trigger a fraudulent payment, derail a delivery schedule, or compromise sensitive project data.

The good news is that these risks can be managed. Just as every job site has a well-stocked kit of tools to get the work done safely and efficiently, businesses can prepare a toolbox for cyber defence. With the right tools in place, firms can spot smishing attempts early, protect staff from costly mistakes, and keep projects moving without disruption.

Smishing Protection: Why It’s Critical for AEC Firms

Smishing works because it feels personal. The text arrives directly in your pocket, looks legitimate, and often carries a sense of urgency. In AEC firms, where mobile phones are lifelines on-site and, in the office, the consequences can be severe:

Financial disruption: A fake invoice text could trick an accounts officer into sending funds to the wrong account.

Project delays: False delivery notifications or supplier messages can confuse schedules and push deadlines back.

Intellectual property theft: Clicking a malicious link could expose designs, BIM models, or sensitive client data.

This isn’t about employees being careless – it’s about scammers exploiting trust and pressure. That’s why Smishing Protection needs to be a priority, not an afterthought.

Building Your Cyber Defence Toolbox for Smishing Protection

Just as no project begins without the right tools on site, no AEC firm should operate without a toolbox for cyber defence. Here’s what that toolbox should contain:

Awareness Training

Show staff real examples of smishing texts. Emphasise that anyone can be caught out, and questioning an unexpected message is a strength, not a weakness.

Mobile Device Management (MDM)

Secure all company and BYOD devices. Use MDM tools to disable unsafe network connections, enforce encryption, and remotely wipe compromised devices.

Multi-Factor Authentication (MFA)

Protect email, finance, and project platforms with MFA. Even if a password is stolen via smishing, MFA keeps attackers out.

Clear Communication Protocols

Make it policy: no payments, project changes, or sensitive updates are ever sent or approved by SMS. That clarity removes the grey areas scammers rely on.

Incident Response Plan

Have a documented process ready. Who to call, how to isolate the device, and what steps to take to protect project data and finances.

Like any toolbox, these defences need regular maintenance – updating software, running smishing simulations, and revising policies based on emerging threats.

Staying Ahead of Smishing and Other Scams

The reality is cybercriminals don’t sit still. They constantly evolve their tactics, making smishing protection and broader cyber defence a moving target. Staying ahead requires vigilance, regular updates, and industry-specific awareness.

For AECMM firms juggling global projects and complex supply chains, keeping up with every scam trend isn’t easy. That’s where NexSys can help – building and maintaining the right cyber defence toolbox so your business can focus on delivering projects, not fighting scams. Contact us today to get started.

Smishing isn’t just another buzzword – it’s a direct threat to your timelines, budgets, and reputation. The UK SMS scam proved how quickly one text can unravel trust. The lesson for AEC firms is clear: act now, equip your team with the right Smishing Protection, and keep your projects moving forward.