Defend · For roofing shops
The "claim disbursement" email
isn't from the carrier.
Roofers run the highest-volume insurance-claim work in the trades. Storm season means dozens of open claims, each tied to a real homeowner, a real address, a real adjuster. Attackers scrape county-recorded claim data and hail-storm zip codes, then send fake "claim disbursement" or "updated banking" emails timed to the week before payout. The pressure is always the same: confirm your bank info today or the check gets held.
Storm season + insurance payouts = the highest BEC volume in the trades.
Real-pattern incident · Roofing
Real-pattern: spoofed insurance-carrier disbursement ($28k)
The setup
NJ roofing contractor, 12-employee shop. Just finished a hail-damage re-roof on a $46k claim. Carrier had confirmed payment for the following week.
The bait
Email arrives Wednesday at 4:47 PM from "claims@statefarm-disbursements.org" (real carrier domain is statefarm.com). References the actual claim number and homeowner address — both publicly recoverable. "Updated banking info needed — old account under audit. Confirm via this link to release the $28k disbursement tomorrow."
Why it works
The claim number is real, the carrier name is real, and the shop has been chasing this exact payout for 11 days. Without a callback to the adjuster's known direct line, the disbursement gets redirected and the money is gone the same day.
The one-line BCL rule
Any banking change — new wire, new ACH, new account — gets a phone callback to a known number, every time, no exceptions, even if it slows a draw by a day.
Part 1
Phishing teardown — 3 real attacks.
Three real-pattern emails sent to plumbing, electrical, HVAC, and GC shops in the past six months. Identifying details changed — the patterns unchanged. Each case: the email itself, why it almost works, the three tells, the one-line BCL rule, and a drill you run in your shop next week.
Part 2
60-minute incident containment.
The version a panicked owner uses at 11 PM. Read it cold tonight, fill in the phone numbers tomorrow, hope you never need it. Four scenarios, minute-by-minute steps, and clear hand-off points to your bank, your insurer, your IT, and the FBI.
Send it to me
Drop your email, get the pack.
Email-gated because we want to send the next defense piece (incident postmortem template, voice-clone drill kit) when it ships. One email per drop, unsubscribe in one click, no third-party trackers. Trust scorecard.
If something is on fire right now, skip the form: the pack is also at bluecollarlabs.org/defense-pack. Stop the bleed first, give us the email later.
Want the live audit?
We'll send a fake "Joe Mendez" to your real AP person.
For roofing shops that want to pressure-test their defenses with consent: we run a real phishing audit, debrief with your team, and hand you a remediation roadmap. First ten audits are free, no charge ever for working trades shops.