Blue Collar Labs

Defend · For mechanical & auto shops

The "parts core charge refund"
isn't from NAPA.

Auto and mechanical shops move serious parts volume — NAPA, WORLDPAC, AutoZone Commercial, O'Reilly First Call. Core charges, returns, and warranty credits flow back constantly, and the office rarely reconciles in real time. Attackers send fake "core refund" or "warranty credit" emails that ask the shop to "verify the bank account for the refund." The number on the refund line is real-looking; the routing instructions go to the attacker.

Inbound-money lures bypass every "verify the wire" instinct your AP team has.

Real-pattern incident · Mechanical / auto

Real-pattern: spoofed core-charge refund ($9.6k)

The setup

Independent mechanical shop in NJ, 4 bays, weekly parts orders from NAPA and WORLDPAC. Owner is also the office — checks email between jobs.

The bait

Email Tuesday at 11:47 AM from "ar-credits@napa-refunds.com" (real domain is napaonline.com). "Your account has $9,640 in approved core/warranty credits. Confirm the bank routing for ACH refund." A real-looking PDF statement is attached, with line items pulled from the shop's actual NAPA invoices (scraped from a prior compromised shop in the area).

Why it works

Mechanical shops genuinely have core/warranty credits flowing back. The dollar figure is plausible. The "confirm your bank" ask doesn't scan as outbound fraud — it scans as inbound money. The owner clicks; the attacker harvests banking credentials and pivots to outbound wire fraud the next month.

The one-line BCL rule

Any banking change — new wire, new ACH, new account — gets a phone callback to a known number, every time, no exceptions, even if it slows a draw by a day.

Part 1

Phishing teardown — 3 real attacks.

Three real-pattern emails sent to plumbing, electrical, HVAC, and GC shops in the past six months. Identifying details changed — the patterns unchanged. Each case: the email itself, why it almost works, the three tells, the one-line BCL rule, and a drill you run in your shop next week.

Part 2

60-minute incident containment.

The version a panicked owner uses at 11 PM. Read it cold tonight, fill in the phone numbers tomorrow, hope you never need it. Four scenarios, minute-by-minute steps, and clear hand-off points to your bank, your insurer, your IT, and the FBI.

Send it to me

Drop your email, get the pack.

Email-gated because we want to send the next defense piece (incident postmortem template, voice-clone drill kit) when it ships. One email per drop, unsubscribe in one click, no third-party trackers. Trust scorecard.

If something is on fire right now, skip the form: the pack is also at bluecollarlabs.org/defense-pack. Stop the bleed first, give us the email later.

By submitting you agree we can email you free BCL resources. We use Notion to store the list and Netlify to receive submissions.

Want the live audit?

We'll send a fake "Joe Mendez" to your real AP person.

For mechanical & auto shops that want to pressure-test their defenses with consent: we run a real phishing audit, debrief with your team, and hand you a remediation roadmap. First ten audits are free, no charge ever for working trades shops.

Request a free phishing audit →