Defend · For HVAC shops
The "service-truck financing" call
isn't from your bank.
HVAC shops carry equipment financing — service trucks, refrigerant inventory, RTUs on hand. Attackers know that, and the call usually comes in seasonal: spring, when shops are buying for the cooling rush, or fall for heat-pump season. Voice-clone fraud pretending to be the equipment vendor or the equipment financier is the new pattern. The "verify your wire" call is the tell.
Voice clones cost $5. Wire fraud at HVAC scale costs $20k+.
Real-pattern incident · HVAC
Real-pattern: voice-clone "wire verification" ($22k)
The setup
Mid-size HVAC company. Just placed a $22k order for two compressor units from a regular vendor; wire was set to send Friday morning.
The bait
Thursday afternoon, owner gets a call from a man whose voice sounds exactly like the vendor's sales rep — name, accent, mannerisms. "Hey, real quick, our finance team flagged it — can you re-send the wire to this updated routing number? Old account is being audited."
Why it works
Voice cloning costs the attacker $5 of public LinkedIn audio. The owner's pattern is to trust the rep. Without a callback to the known number, the wire goes to the attacker.
The one-line BCL rule
Any banking change — new wire, new ACH, new account — gets a phone callback to a known number, every time, no exceptions, even if it slows a draw by a day.
Part 1
Phishing teardown — 3 real attacks.
Three real-pattern emails sent to plumbing, electrical, HVAC, and GC shops in the past six months. Identifying details changed — the patterns unchanged. Each case: the email itself, why it almost works, the three tells, the one-line BCL rule, and a drill you run in your shop next week.
Part 2
60-minute incident containment.
The version a panicked owner uses at 11 PM. Read it cold tonight, fill in the phone numbers tomorrow, hope you never need it. Four scenarios, minute-by-minute steps, and clear hand-off points to your bank, your insurer, your IT, and the FBI.
Send it to me
Drop your email, get the pack.
Email-gated because we want to send the next defense piece (incident postmortem template, voice-clone drill kit) when it ships. One email per drop, unsubscribe in one click, no third-party trackers. Trust scorecard.
If something is on fire right now, skip the form: the pack is also at bluecollarlabs.org/defense-pack. Stop the bleed first, give us the email later.
Want the live audit?
We'll send a fake "Joe Mendez" to your real AP person.
For HVAC shops that want to pressure-test their defenses with consent: we run a real phishing audit, debrief with your team, and hand you a remediation roadmap. First ten audits are free, no charge ever for working trades shops.