Blue Collar Labs

Defend · For landscape & hardscape shops

The "deposit confirmation" PDF
wasn't sent by your customer.

Landscapers and hardscape crews live on customer deposits — 30–50% upfront for a paver job, a tree removal, a spring cleanup. Residential customer email accounts are the easiest target on the internet: no MFA, weak passwords, never patched. Attackers compromise the customer first, then pivot to your shop. By Friday your own inbox is sending "we changed banks" notes to every active customer you have.

Customer-side compromise → contractor pivot. The supply-chain attack of small-shop trades.

Real-pattern incident · Landscaping

Real-pattern: customer-pivot deposit malware ($14k crew payroll lost)

The setup

NJ hardscape shop, 7-person crew, peak-season deposits arriving daily. Owner manages deposits and customer comms from a personal Gmail on the truck phone.

The bait

Email from a real customer (whose Gmail was compromised the prior week) with subject "Deposit confirmation" and a PDF attachment. The PDF carries a credential-harvesting login page. Owner opens it on the phone. Two days later the owner's Gmail is sending fake "we changed banks" notes to every active customer the shop has worked with this season.

Why it works

Residential email accounts are softer than any commercial target. Attackers don't bother with the contractor — they pivot through the customer. The contractor's shop becomes the next hop, and the customer list becomes a phishing list.

The one-line BCL rule

Any banking change — new wire, new ACH, new account — gets a phone callback to a known number, every time, no exceptions, even if it slows a draw by a day.

Part 1

Phishing teardown — 3 real attacks.

Three real-pattern emails sent to plumbing, electrical, HVAC, and GC shops in the past six months. Identifying details changed — the patterns unchanged. Each case: the email itself, why it almost works, the three tells, the one-line BCL rule, and a drill you run in your shop next week.

Part 2

60-minute incident containment.

The version a panicked owner uses at 11 PM. Read it cold tonight, fill in the phone numbers tomorrow, hope you never need it. Four scenarios, minute-by-minute steps, and clear hand-off points to your bank, your insurer, your IT, and the FBI.

Send it to me

Drop your email, get the pack.

Email-gated because we want to send the next defense piece (incident postmortem template, voice-clone drill kit) when it ships. One email per drop, unsubscribe in one click, no third-party trackers. Trust scorecard.

If something is on fire right now, skip the form: the pack is also at bluecollarlabs.org/defense-pack. Stop the bleed first, give us the email later.

By submitting you agree we can email you free BCL resources. We use Notion to store the list and Netlify to receive submissions.

Want the live audit?

We'll send a fake "Joe Mendez" to your real AP person.

For landscape & hardscape shops that want to pressure-test their defenses with consent: we run a real phishing audit, debrief with your team, and hand you a remediation roadmap. First ten audits are free, no charge ever for working trades shops.

Request a free phishing audit →