fatcousin
// case comparison

invoice fraud vs BEC

AP receives a changed bank account on a vendor invoice and labels it BEC. BEC is impersonation in the email thread; invoice fraud is the paid-invoice artifact and approval-chain tamper. preservation diverges — header chain vs PDF revision genealogy.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

invoice fraud / vendor account change

fraudulent invoice + bank-detail-change request. tightly coupled to BEC but specifically about the paid-invoice artifact and approval chain.

  1. 01email header analyzerpaste raw email headers · trace hop-by-hop routing · SPF · DKIM · DMARC · detect spoofing · visualize delivery path · runs locally
  2. 02email thread reconstructordrop multiple .eml files · Message-ID References In-Reply-To tree · missing parent flags · flat timeline · CSV export · runs locally
  3. 03.eml / .msg email header chain analyzerdrop eml or msg email file or paste raw headers · parse all headers · reconstruct the full routing chain · extract all forensically significant fields · surface inconsistencies in the header chain · runs locally
  4. 04pdf object explorerdrop a PDF · parse raw object tree · detect embedded JavaScript · /Launch actions · encrypted streams · /EmbeddedFile · suspicious patterns · export report · runs locally
  5. 05pdf forensicsdrop a pdf · inspect objects and streams · extract javascript · embedded files · suspicious actions · object tree · malware analysis · runs locally
  6. 06pdf author and revision metadata deep analyzerdrop pdf file · extract all document information dictionary and xmp metadata · parse creation and modification timestamps · surface author software version revision count and producer chain · runs locally
  7. 07document metadata genealogy tracerdrop related documents · trace ancestor versions through metadata · revision counts · author chains · template references · printer fingerprints · reconstruct document family history · runs locally
  8. 08document metadata inconsistency finderdrop docx xlsx pptx pdf · core app props vs pdf info · temporal author revision heuristics · tracked changes timeline · runs locally
case b

business email compromise (BEC)

vendor impersonation · payroll redirect · wire fraud · spoofed reply chains. evidence is almost always email headers, mailbox rules, and login telemetry.

  1. 01email header analyzerpaste raw email headers · trace hop-by-hop routing · SPF · DKIM · DMARC · detect spoofing · visualize delivery path · runs locally
  2. 02email thread reconstructordrop multiple .eml files · Message-ID References In-Reply-To tree · missing parent flags · flat timeline · CSV export · runs locally
  3. 03.eml / .msg email header chain analyzerdrop eml or msg email file or paste raw headers · parse all headers · reconstruct the full routing chain · extract all forensically significant fields · surface inconsistencies in the header chain · runs locally
  4. 04email spoofing and SPF/DKIM/DMARC header validatorpaste raw email headers or drop eml file · validate authentication headers · detect spoofing indicators · surface spf dkim and dmarc results · identify header inconsistencies indicating spoofed or forged email · runs locally
  5. 05received header hop analyzerpaste raw email headers or drop eml · parse all received headers · reconstruct smtp routing path hop by hop · compute per-hop timing · surface anomalous delays private ips and inconsistent hostnames · runs locally
  6. 06mailer and email client fingerprint identifierdrop eml files or paste headers · identify the email client or service that sent the message · detect inconsistencies between claimed and actual mailer · surface forged x-mailer headers and mailer fingerprint mismatches · runs locally
  7. 07email impersonation pattern detectordrop multiple eml files or paste headers · detect display name spoofing domain lookalikes and reply-to hijacking · identify impersonation patterns targeting specific individuals or organizations · surface BEC and CEO fraud indicators · runs locally
  8. 08mail rule parserdrop Outlook rules.dat or Thunderbird msgFilterRules.dat · rule names conditions actions · flag suspicious forward redirect · CSV export · runs locally

editorial overlap

5 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
email header analyzer.eml / .msg email header chain analyzeremail thread reconstructorfatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlator

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward invoice fraud if you see…

  • tampered invoice PDF incremental updates, ghost text layers, or signature-chain break in the disputed invoice
  • vendor bank-detail change in AP audit or bill.com workflow without executive display-name spoof in correlated mail
  • approval-chain tamper or routing-rule edit in AP/ERP audit logs — not a mailbox rule planted on a finance mailbox

lean toward BEC if you see…

  • spoofed reply chain, display-name impersonation, or vendor-domain lookalike in email headers
  • wire-fraud thread in the mailbox with no PDF revision ghost layer on the disputed invoice artifact
  • mailbox rule auto-forwarding finance threads to an external address immediately after suspicious login
ready