fatcousin
// case comparison

payroll fraud vs BEC

finance reports 'someone changed our bank details' — same intake sentence for payroll direct-deposit fraud and BEC wire redirect. payroll fraud lives in ADP/Workday/UKG exports; BEC lives in mailbox rules and spoofed threads. mixing them wastes the first preservation window.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

payroll fraud / ghost employee

unauthorized direct deposit changes · ghost employees · overtime inflation · payroll adjustment after termination. evidence is ADP/Workday/UKG payroll audit exports + HCM headcount cross-checks.

  1. 01adp payroll audit log forensic analyzerdrop adp export · parse paycheck + employee + approver · runs locally
  2. 02workday payroll export forensic analyzerdrop workday payroll export · parse payment + earning + user · runs locally
  3. 03payroll ghost employee detectordrop payroll export · detect ghost employee patterns · runs locally
  4. 04payroll unauthorized adjustment detectordrop payroll export · detect unauthorized pay adjustments · runs locally
  5. 05payroll overtime inflation detectordrop payroll export · detect overtime inflation patterns · runs locally
  6. 06cross hcm payroll headcount correlatordrop hcm + payroll exports · correlate headcount to pay run · runs locally
  7. 07cross payroll wfm timesheet correlatordrop payroll + wfm exports · correlate paycheck to timesheet · runs locally
  8. 08case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
case b

business email compromise (BEC)

vendor impersonation · payroll redirect · wire fraud · spoofed reply chains. evidence is almost always email headers, mailbox rules, and login telemetry.

  1. 01email header analyzerpaste raw email headers · trace hop-by-hop routing · SPF · DKIM · DMARC · detect spoofing · visualize delivery path · runs locally
  2. 02email thread reconstructordrop multiple .eml files · Message-ID References In-Reply-To tree · missing parent flags · flat timeline · CSV export · runs locally
  3. 03.eml / .msg email header chain analyzerdrop eml or msg email file or paste raw headers · parse all headers · reconstruct the full routing chain · extract all forensically significant fields · surface inconsistencies in the header chain · runs locally
  4. 04email spoofing and SPF/DKIM/DMARC header validatorpaste raw email headers or drop eml file · validate authentication headers · detect spoofing indicators · surface spf dkim and dmarc results · identify header inconsistencies indicating spoofed or forged email · runs locally
  5. 05received header hop analyzerpaste raw email headers or drop eml · parse all received headers · reconstruct smtp routing path hop by hop · compute per-hop timing · surface anomalous delays private ips and inconsistent hostnames · runs locally
  6. 06mailer and email client fingerprint identifierdrop eml files or paste headers · identify the email client or service that sent the message · detect inconsistencies between claimed and actual mailer · surface forged x-mailer headers and mailer fingerprint mismatches · runs locally
  7. 07email impersonation pattern detectordrop multiple eml files or paste headers · detect display name spoofing domain lookalikes and reply-to hijacking · identify impersonation patterns targeting specific individuals or organizations · surface BEC and CEO fraud indicators · runs locally
  8. 08mail rule parserdrop Outlook rules.dat or Thunderbird msgFilterRules.dat · rule names conditions actions · flag suspicious forward redirect · CSV export · runs locally

editorial overlap

2 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
fatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlator

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward payroll fraud if you see…

  • unauthorized direct-deposit change or routing-number edit in ADP/Workday/UKG audit export without correlated mailbox-rule planting
  • ghost employee row, hours inflation, or overtime padding in HCM export — payroll-system anomaly, not email-thread artifact
  • termination-bypass or rehire pattern in HCM showing an active employee record with no manager attestation

lean toward BEC if you see…

  • executive impersonation thread or vendor wire-redirect email pointing finance at a fraudulent account
  • mail-rule forward-to-external rule created immediately after a suspicious login on a finance mailbox
  • spoofed reply chain in mail headers tying the bank-change request to a CFO display-name impersonation, not the HCM portal
ready