Cmd+P → Save as PDF · Free to share, free to print · bluecollarlabs.org
Blue Collar Labs — Small-Shop Defense Pack v0.1

BCL Small-Shop Defense Pack v0.1

Rendered 2026-05-02 · bluecollarlabs.org

BCL Small-Shop Defense Pack v0.1

Two free defenses for small trades shops, in one document.

Blue Collar Labs · bluecollarlabs.org/defend · Free to share, free to print.

What's inside

This pack bundles the two defenses small trades shops use first. Print it, tape the wall poster near the AP desk, and run the three drills next week.

  1. Phishing teardown — three real-pattern emails sent to small trades shops in 2026. What the attack looks like, why it almost works, the three tells, the BCL rule, and a drill you can run in your shop next week.
  2. The 60-minute incident containment plan. The version a panicked owner uses at 11 PM when something has already gone wrong. Stops the bleed, preserves evidence, hands off to professionals.

Together these are about an hour of reading and a couple of weeks of low-effort drills. They do not replace a real cyber-insurance policy or a real incident-response retainer, and we name where they hand off to those things.

If something is on fire right now, skip to the second half of this pack — the 60-minute plan starts with a cover page that tells you exactly what to do in the next five minutes.

Why this exists

Small trades shops are now the most-targeted bracket for business-email-compromise and voice-clone wire fraud. The reason is unromantic: the average loss per incident is high enough to be worth an attacker's time, and the average shop's defenses are still mostly "the AP person is careful." That's not enough anymore. The attacks have moved.

This pack is what we hand to the shops we audit. It is free because the cost of not having it — the wire that goes out at 4:55 PM on a Friday — falls hardest on the people who can least afford it.

If your shop wants the full audit (we'll send a fake "Joe Mendez" to your real AP person, with consent), email support@bluecollarlabs.org. Otherwise: read on.

How to use this pack

  1. Today (15 min). Read the three phishing cases. Note which one you would have caught and which one you wouldn't have.
  2. This week. Run the three drills at the bottom of each case. Do not punish people who fail — train them.
  3. Print the wall poster at the end of Part 1. Tape it where the AP person sits.
  4. Read Part 2 once cold, while nothing is on fire. The 60-minute plan is no good if you read it for the first time during the actual incident.
  5. Fill in the phone numbers at the start of Part 2 today. Pre-fill the bank fraud line, the cyber insurance hotline, and the local FBI field office. The numbers themselves are the control.

Part 1 — Phishing teardown · Three real-pattern emails

BCL DEFEND pillar — Week 3 artifact.

Each case below is a real pattern that has actually been sent to plumbing, electrical, HVAC, and general-contractor shops in the past 6 months. Identifying details have been changed. The patterns — the structure, the social engineering, the off-channel ask — are unchanged.

For each case:

  1. Read the email cold. Decide: would I have caught this in the moment? Note your gut answer.
  2. Read the 3 tells. These are the specific cues a trained eye picks up first.
  3. Read the BCL rule. This is the one-line callback or process change that defeats this attack pattern.
  4. Run the drill at the bottom of the case in your shop next week.

Three cases is the right number: enough variety to teach the pattern, few enough to actually run drills on all of them inside one week.

Case 1 — The fake-vendor invoice ("$48k Tuesday")

This is the most common attack against small trades shops. It's the pattern that put $48k on the line at a real shop in March 2026.

The email

From: Joe Mendez <jmendez@graybar-billing.net>
To: ap@<your-shop>.com
Subject: Invoice 41782 — past due — wire required EOD

Hi,

Following up on invoice 41782 (attached) for the recent supply
order. I see this is now 30 days past due. Per our updated billing
terms (see vendor portal note 11/23), wire transfer is now the
only accepted payment method for past-due balances.

New wire instructions:

  Bank:        Pinnacle First (NY)
  Routing:     026013576
  Account:     8847132201
  Reference:   INV-41782 / <your-shop>

Please confirm by 4 PM today so we can release for next-day
delivery. Late wires hold the order another 48 hrs.

Thanks,
Joe Mendez
A/R Specialist · Graybar Electric
Direct: (212) 555-0119

Why this almost works

It looks like a routine A/R follow-up. The shop bought from Graybar last month. The dollar amount is plausible. The urgency ("4 PM today") is normal in supply-house culture. The voice is professional but not too polished.

The 3 tells

  1. The sender domain is wrong. graybar-billing.net is not Graybar's domain. Graybar is graybar.com. Hyphenated lookalike domains (-billing, -finance, -payments) are the #1 phishing tell in trades. Real vendors use the same domain for billing as for ordering.
  2. A wire instruction in an email. Real vendors that already have an invoicing relationship with you have your account already configured — they don't need you to re-enter wire instructions every time. Any email that contains routing + account numbers AND asks you to act today is a red flag, even from a real vendor whose account got compromised.
  3. Off-channel ask. If you've never wired money to this vendor before — only ACH, check, or card — and this email is the first time wire has been suggested, that's the attack working as designed. Attackers swap the channel because they can't replicate the original channel's controls (your AP system, your card terminal, your ACH portal).

BCL rule

Never wire to a new payee — or a new account at an old payee — without a callback to a number you already had on file. Never use the number in the email.

The drill (run this week)

Send a fake "Joe Mendez" email to your AP person yourself, using a free Gmail you make up that morning, with a brand-new wire instruction. See how they handle it. If they catch it, buy them lunch. If they don't catch it, you've just discovered a $48,000 hole in your shop's defenses for the cost of a 5-minute prank. Tell them after — never leave a real test running.

Case 2 — The CEO voice-clone wire request

This is the rising threat in 2026 because the cost of voice cloning has collapsed. With 30 seconds of a person's voice (a podcast, a radio ad, a YouTube job-site video, a voicemail greeting) anyone can produce a convincing audio clip in their voice.

The setup

The voicemail (or live call) sounds like the owner. Slightly distorted ("I'm at the airport, bad signal"). Asks AP / bookkeeper / spouse to wire money to a new vendor, today, before EOD, because of a deal that closes today.

The voice is right. The cadence is right. The phrases the owner usually uses are right (because the cloning model picked them up from public audio).

Sample script

"Hey, it's me. I'm at the truck show in Vegas, signal's terrible. Quick one — that supplier I told you about, the one out of Tennessee — they need a 10k deposit today to lock the bulk price. Wire it from operating. Routing is 0-6-2-2-0-0-3-0, account is — let me grab it — 4-1-8-3-2-9-1-7. Reference 'TN supplier deposit.' Just do it from your phone, I gotta hop on a call. Thanks. Tell Maria I said hi."

Why this almost works

It's the boss. He's said "Tell Maria I said hi" in voicemails for years. He's been to Vegas before. He DID mention a Tennessee supplier last week. None of it is invented — the attacker did 20 minutes of research on the shop's social media and the owner's voice.

The 3 tells

  1. Off-channel + urgency + new payee. Same triad as Case 1. The boss never asks for wires by voicemail — he uses the AP system, or texts a written instruction, or calls AP directly during business hours.
  2. The boss can't be reached for confirmation. "I'm in a call" / "I'm boarding" / "Don't text me back, just do it" is the entire mechanism of this attack. Real urgent requests can take a 90-second confirmation call.
  3. The amount is large enough to matter, small enough not to spook. $5k–$25k is the sweet spot. Above that, even untrained AP people pause. Below that, AP just acts.

BCL rule

Voice over the phone never authorizes a new wire. Period. Even if it's the boss's voice. The boss agreed to this rule in writing.

Pin the rule. Get the owner to sign it. The signature is the actual control — it removes the AP person's social pressure to comply.

The drill (run this week)

Have the owner record themselves saying "Hey, it's me. I'm at the airport. Wire $8k to this account today." (No actual instructions — just the sentence.) Play it for the AP person and ask: would you have actioned this? If yes, the rule above is not yet on the wall. If no, ask them what would have made them action it. That's the next gap to close.

Case 3 — The fake permit / municipal-fee scam

Less common but rising fast in 2026 as municipal e-services get more visible online. Plays on the fact that small trades shops do receive real permit-related emails from real municipalities.

The email

From: Permits Office <permits@nj-business-permits.org>
To: <owner>@<your-shop>.com
Subject: ACTION REQUIRED — your contractor license renewal — 2026 cycle

Dear Licensee,

Our records indicate that your New Jersey home improvement
contractor registration (HIC #13VHXXXXXXXX) is in the 2026
renewal window. Renewal is now mandatory by 5/15/2026 to avoid
a $250 late fee and a 30-day suspension of your license to
perform residential work in the State of New Jersey.

Renew online: https://nj-business-permits.org/renew?HIC=13VHXXXXXXXX

The 2026 renewal fee is $90.00 and may be paid by credit card,
debit card, or e-check. Please complete the renewal on or before
5/15/2026 to maintain active status.

Thank you,
NJ Business Permits Office

Why this almost works

The HIC# is a real format. The renewal cycle exists. The deadline pressure is plausible. The email is written in the dead, formal, slightly off voice that real municipal emails actually use, so the attacker has done its tone homework.

The 3 tells

  1. The domain is wrong. Real NJ government uses nj.gov (e.g. dca.nj.gov). Anything that ends in nj-business-permits.org, nj-permits.com, state-of-nj-renewals.net is fake. State governments do not use generic .org or .com domains for licensing actions. If it's not *.nj.gov, it's a scam.
  2. The fee is plausible but never paid via that channel. Real NJ HIC renewal goes through dca.nj.gov and the fee is set by statute. Even if the dollar amount in the email matches the real fee, the channel is the attack — they want a credit card on a fake portal so they can charge it again later.
  3. Urgency without a verifiable source. A real licensing deadline is published on the state's website. Open the state site directly — don't click — and see whether the deadline matches. If you can't find the deadline on nj.gov, the email is lying.

BCL rule

For any government, license, permit, or tax-related email — type the agency's website into your browser yourself. Never click the link in the email. Treat email links from government as untrusted by default.

This rule is also defended by browser autofill: if you've never been to nj-business-permits.org before, your password manager won't fill anything, which is a free silent warning.

The drill (run this week)

Once a quarter, send your team a fake-licensing email yourself. Track who clicks. Don't blame people who fail — train them. The point is to find gaps, not to hunt humans.

Wall poster — print and tape near the AP desk

┌────────────────────────────────────────────────────────────┐
│                                                            │
│   THE THREE BCL CALLBACK RULES                             │
│                                                            │
│   1. New payee or new account?                             │
│      Callback to a number you already had on file.         │
│      Not the number in the email.                          │
│                                                            │
│   2. Voice on the phone, urgent wire?                      │
│      Hang up. Call the boss back at his real number.       │
│      He agreed to this rule in writing.                    │
│                                                            │
│   3. Government / license / permit email?                  │
│      Type the agency's website yourself.                   │
│      Never click a link.                                   │
│                                                            │
│   If you skip a rule because someone is yelling at you,    │
│   the someone yelling is the attacker. Hang up.            │
│                                                            │
│   — Blue Collar Labs · bluecollarlabs.org/defend           │
│                                                            │
└────────────────────────────────────────────────────────────┘

Part 2 — 60-minute incident containment

The version a panicked owner uses at 11 PM.

If you are reading this because something just went wrong — a wire was sent, an email account is acting weird, files are encrypted, or someone in your shop just told you they "did something they shouldn't have" — read the cover, then go to the section that matches your scenario and follow the steps.

Do not call a meeting. Do not write an all-hands email. Do not start a Slack thread. Open this page on your phone and follow the steps in order.

After the 60 minutes, you hand off to professionals. This page is the first hour only.

Cover — read once, then move

  1. Time matters. The first 60 minutes determines how much you recover. Banks can sometimes claw back wires within hours. After 24 hours, often not.
  2. Your job in the first hour is not to investigate. It is to stop the bleed and preserve what's there. Investigation is for tomorrow.
  3. You are not unprofessional for being scared. You're going to do this badly under stress. That's normal. The steps below are written for badly.
  4. One person runs the call list. Everyone else stays in their lane. If you're reading this, you are that person until further notice.
  5. Do not delete anything. Not the email. Not the suspicious file. Not the browser history. Evidence is how the bank, the FBI, and your insurance get you whole.

If you can do nothing else, call your bank's fraud line right now and tell them what happened. Every other step on this page can wait 5 minutes; that one cannot.

Phone numbers to have ready (fill these in BEFORE you need them)

Tape this to the inside of a desk drawer. Update once a year.

┌─────────────────────────────────────────────────────────────┐
│  PRE-FILLED INCIDENT NUMBERS                                │
│                                                             │
│  Our bank's fraud line:    ___________________________      │
│  (NOT the number on a card. Look it up on the bank's        │
│   real website, or call the branch and ask for fraud.)      │
│                                                             │
│  Cyber insurance carrier:  ___________________________      │
│  Policy number:            ___________________________      │
│  24/7 incident hotline:    ___________________________      │
│                                                             │
│  Our IT person / MSP:      ___________________________      │
│                                                             │
│  Local FBI field office:   ___________________________      │
│  (newark.fbi.gov for NJ shops; ic3.gov for online report)   │
│                                                             │
│  Lawyer (employment / contracts):  __________________       │
│                                                             │
└─────────────────────────────────────────────────────────────┘

Pick your scenario

A — Wire fraud (you sent or are about to send)

Minute 0–5: Call the bank fraud line.

Tell them, in this order: "Wire fraud. Sending account is ____. Wire was sent at ____ to ____ for $____. We believe it was a phishing attack." Ask for an immediate SWIFT recall or ACH recall if it's domestic. The faster they hear it, the higher the recall odds.

Minute 5–10: Call the receiving bank's fraud line.

Find it on the receiving bank's real website. Tell them: "We are the senders of a wire received at your bank today, sent under fraud. The receiving account is ____." Some receiving banks will freeze the receiving account on a phone call.

Minute 10–20: Email the bank a written follow-up.

Subject: "Fraudulent wire — written confirmation per [agent name] phone call [time]." Body: same facts. This creates the paper trail.

Minute 20–30: File IC3 report at ic3.gov.

This is the FBI's online intake. It does not call the cops — it routes the report. Filing inside 24 hours dramatically helps. Save the report number; insurance and the bank will both ask for it.

Minute 30–45: Call cyber insurance.

Most policies require notification within 24–72 hours. Do it now. They will assign a carrier-approved incident-response firm. Use them; do not hire one yourself first.

Minute 45–60: Preserve everything.

The next 24 hours. The IR firm runs the investigation. Your job is to answer their questions and do not communicate with the attacker.

B — Credentials phished (someone entered a password into a fake site)

Minute 0–5: Reset that password. Whatever site it was. Use a different machine if you can.

Minute 5–10: Reset the email password too. And the password manager master password. The attacker's first move is usually email-account takeover for downstream attacks.

Minute 10–20: Sign out all sessions. Every major site (Google, Microsoft 365, Notion, QuickBooks) has a "sign out everywhere" button. Hit it.

Minute 20–30: Turn on MFA everywhere it isn't already on. Authenticator app preferred over SMS. SMS is better than nothing.

Minute 30–45: Check the inbox for forwarding rules. Attackers add rules that auto-forward incoming email (especially anything with "wire," "invoice," "payment") to themselves. In Gmail and Outlook both, check Settings → Filters / Rules. Delete anything you didn't create.

Minute 45–60: Tell your bank. Even if no money moved. They flag the account for the next 30 days, which is when downstream attacks usually fire.

The next 24 hours. Do a credit freeze if the phished site contained your SSN.

C — Suspicious computer / possible ransomware

Minute 0–5: Disconnect that machine from the network. Pull the ethernet, turn off Wi-Fi. Do not power it off — that destroys forensic evidence in RAM.

Minute 5–10: Disconnect any external drive or USB stick. And any other machine that shares files with the affected one.

Minute 10–20: Stop using shared drives. If files on the network drive look weird, the encryption is in progress. Disconnect every workstation from the share.

Minute 20–30: Call cyber insurance. Their incident-response firm handles ransomware specifically — do not pay anything, do not contact the attackers, do not even open a chat window with them. The first contact is the attacker's leverage.

Minute 30–45: Call your IT/MSP. They isolate the affected machines, check backups, and start the recovery plan if backups are clean.

Minute 45–60: Document. Take photos of the ransom note (with your phone — do NOT screenshot from the affected machine). Write down what you saw and what you touched.

The next 24 hours. Do not pay the ransom. Pay only on the explicit advice of the IR firm, and only after they have evaluated the decryptor's reliability. Most ransom payments lead to follow-on attacks within 6 months.

D — Suspicious voicemail / call asking for a wire

Minute 0–5: Do not action the wire. No matter who the voice claims to be.

Minute 5–10: Call the person back at the number you already had. Not the number in the voicemail. Not a number they texted you. The one in your phone from before today.

Minute 10–20: If you can't reach them, hold the wire. No exceptions. The cost of holding for an hour is zero. The cost of sending a fraudulent wire is everything.

Minute 20–30: Email the person from your normal email. "Got a voicemail saying you need $X wired to Y today. Confirming this is real. Calling you back at [their normal cell]." If they didn't make the call, they'll respond within minutes.

Minute 30–45: Loop in one other authorized person. This rule should be in writing already — but if it isn't, this is the moment. Two-person authorization on any new wire over a threshold the shop sets together (we recommend $5k for shops under 25 employees).

Minute 45–60: Document the call. Voicemail audio file (download it from the phone system if possible). Caller ID. Time of call. The script the caller used. This is evidence whether or not money moved.

The next 24 hours. Update the wall poster. The attacker will try again next month with a slightly different pitch.

What hands off where

This pack covers the first 60 minutes. After that, you hand off:

Your job during the first 60 minutes was not to fix all of that. It was to make sure the people who can fix it got called. Now they're called.

After the incident — the one-page debrief

When the dust settles, in the first week after, write one page:

  1. What happened, in three sentences. Plain English. No blame.
  2. What stopped it (or could have). The control that worked, or the one that should have been in place.
  3. The one change we are making this month. One. Not a list of ten. The thing that, if it were in place a week ago, would have stopped this.

Tape that page next to the wall poster. Add a date. That's how a small shop builds memory.

Closing

If this pack helped, two asks:

  1. Print it. Give a copy to one other shop owner you know. The attackers do not stop at our walls. The shops that share defenses are the ones that stay open.
  2. Tell us where it failed. If a drill went sideways, if a section was wrong for your trade, if a real incident played out differently than this pack predicted — email support@bluecollarlabs.org. The next version (v0.2) gets better because of your war story.

If your shop wants the live audit (we'll send a fake "Joe Mendez" to your real AP person, with consent), the cohort wants apprentices and journeymen at any level, or you want to support free seats for low-income trades, all of that lives at bluecollarlabs.org.

Stay paid. Stay open. Don't click the link.

— Blue Collar Labs · 501(c)(3) · EIN 42-1853577

Blue Collar Labs · bluecollarlabs.org Free to share, free to print