Defend · For plumbing shops
The "permit fee" that lands at 5 PM
isn't from the township.
Plumbing shops pull a lot of municipal permits — backflow, water service, sewer, gas. Every permit has a public record. Attackers scrape those records and send fake "additional fee" or "amended permit" emails timed to land right when the office is wrapping up. The pressure is "the inspector won't come tomorrow if this isn't paid tonight."
Public permit data + end-of-day pressure = a near-perfect lure.
Real-pattern incident · Plumbing
Real-pattern: fake "amended permit fee" ($4.2k)
The setup
Family-run plumbing shop in NJ. Three open permits at a township for a residential repipe job, all listed in the public permit portal.
The bait
Email at 4:51 PM from "plumbing-permits@mendham-twp-billing.org" (real township uses .gov), referencing the actual permit number. "Inspector flagged a missing pressure-test fee, $4,200, pay tonight or inspection rescheduled to next month." A Stripe-looking link that goes to an attacker-controlled page.
Why it works
The permit number is real, the township is real, and the timing creates job-stop pressure. The owner pays personally to keep the schedule. Fee was never owed.
The one-line BCL rule
Any banking change — new wire, new ACH, new account — gets a phone callback to a known number, every time, no exceptions, even if it slows a draw by a day.
Part 1
Phishing teardown — 3 real attacks.
Three real-pattern emails sent to plumbing, electrical, HVAC, and GC shops in the past six months. Identifying details changed — the patterns unchanged. Each case: the email itself, why it almost works, the three tells, the one-line BCL rule, and a drill you run in your shop next week.
Part 2
60-minute incident containment.
The version a panicked owner uses at 11 PM. Read it cold tonight, fill in the phone numbers tomorrow, hope you never need it. Four scenarios, minute-by-minute steps, and clear hand-off points to your bank, your insurer, your IT, and the FBI.
Send it to me
Drop your email, get the pack.
Email-gated because we want to send the next defense piece (incident postmortem template, voice-clone drill kit) when it ships. One email per drop, unsubscribe in one click, no third-party trackers. Trust scorecard.
If something is on fire right now, skip the form: the pack is also at bluecollarlabs.org/defense-pack. Stop the bleed first, give us the email later.
Want the live audit?
We'll send a fake "Joe Mendez" to your real AP person.
For plumbing shops that want to pressure-test their defenses with consent: we run a real phishing audit, debrief with your team, and hand you a remediation roadmap. First ten audits are free, no charge ever for working trades shops.