Defend · For GCs
The "subcontractor banking change"
isn't your sub.
General contractors run the highest dollar volume and the most sub-vendor relationships in the trades — which makes you the highest-value BEC target. Email accounts of legitimate subs are the most common attack vector: an attacker compromises one sub's inbox, watches for an active job, then asks the GC to "update banking for next draw." If the GC has no callback rule, the entire draw goes to the attacker.
GCs touch the most subs — which is also the most attack surface.
Real-pattern incident · General contracting
Real-pattern: compromised sub's email, $76k draw
The setup
GC running a multi-family build with eight active subs. Drywall sub is on a $76k draw schedule, one draw remaining.
The bait
Email comes from the actual sub's real address (compromised by attacker via prior phishing). "Hey, we just switched banks — here's the new wire info for the final draw, send tonight if possible because I owe my crew Friday." Tone, signature, and email history all check out.
Why it works
The email IS legitimate — sent from a compromised real account. Email auth (SPF/DKIM/DMARC) all pass because it really is the sub's server. The only defense is a phone call to the sub's known number before any banking change.
The one-line BCL rule
Any banking change — new wire, new ACH, new account — gets a phone callback to a known number, every time, no exceptions, even if it slows a draw by a day.
Part 1
Phishing teardown — 3 real attacks.
Three real-pattern emails sent to plumbing, electrical, HVAC, and GC shops in the past six months. Identifying details changed — the patterns unchanged. Each case: the email itself, why it almost works, the three tells, the one-line BCL rule, and a drill you run in your shop next week.
Part 2
60-minute incident containment.
The version a panicked owner uses at 11 PM. Read it cold tonight, fill in the phone numbers tomorrow, hope you never need it. Four scenarios, minute-by-minute steps, and clear hand-off points to your bank, your insurer, your IT, and the FBI.
Send it to me
Drop your email, get the pack.
Email-gated because we want to send the next defense piece (incident postmortem template, voice-clone drill kit) when it ships. One email per drop, unsubscribe in one click, no third-party trackers. Trust scorecard.
If something is on fire right now, skip the form: the pack is also at bluecollarlabs.org/defense-pack. Stop the bleed first, give us the email later.
Want the live audit?
We'll send a fake "Joe Mendez" to your real AP person.
For GCs that want to pressure-test their defenses with consent: we run a real phishing audit, debrief with your team, and hand you a remediation roadmap. First ten audits are free, no charge ever for working trades shops.