fatcousin
// case comparison

payroll fraud vs invoice fraud

finance reports unauthorized money movement. case A is payroll-fraud: direct-deposit change, ghost employee, or overtime inflation in payroll/HCM exports. case B is invoice-fraud: tampered vendor invoice, AP bank-detail change, and approval-chain anomaly. wrong call sends you to email-header-analyzer when you need payroll-ghost-employee-detector — or chases mailbox spoof while the HCM portal already shows routing-number edit.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

payroll fraud / ghost employee

unauthorized direct deposit changes · ghost employees · overtime inflation · payroll adjustment after termination. evidence is ADP/Workday/UKG payroll audit exports + HCM headcount cross-checks.

  1. 01adp payroll audit log forensic analyzerdrop adp export · parse paycheck + employee + approver · runs locally
  2. 02workday payroll export forensic analyzerdrop workday payroll export · parse payment + earning + user · runs locally
  3. 03payroll ghost employee detectordrop payroll export · detect ghost employee patterns · runs locally
  4. 04payroll unauthorized adjustment detectordrop payroll export · detect unauthorized pay adjustments · runs locally
  5. 05payroll overtime inflation detectordrop payroll export · detect overtime inflation patterns · runs locally
  6. 06cross hcm payroll headcount correlatordrop hcm + payroll exports · correlate headcount to pay run · runs locally
  7. 07cross payroll wfm timesheet correlatordrop payroll + wfm exports · correlate paycheck to timesheet · runs locally
  8. 08case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
case b

invoice fraud / vendor account change

fraudulent invoice + bank-detail-change request. tightly coupled to BEC but specifically about the paid-invoice artifact and approval chain.

  1. 01email header analyzerpaste raw email headers · trace hop-by-hop routing · SPF · DKIM · DMARC · detect spoofing · visualize delivery path · runs locally
  2. 02email thread reconstructordrop multiple .eml files · Message-ID References In-Reply-To tree · missing parent flags · flat timeline · CSV export · runs locally
  3. 03.eml / .msg email header chain analyzerdrop eml or msg email file or paste raw headers · parse all headers · reconstruct the full routing chain · extract all forensically significant fields · surface inconsistencies in the header chain · runs locally
  4. 04pdf object explorerdrop a PDF · parse raw object tree · detect embedded JavaScript · /Launch actions · encrypted streams · /EmbeddedFile · suspicious patterns · export report · runs locally
  5. 05pdf forensicsdrop a pdf · inspect objects and streams · extract javascript · embedded files · suspicious actions · object tree · malware analysis · runs locally
  6. 06pdf author and revision metadata deep analyzerdrop pdf file · extract all document information dictionary and xmp metadata · parse creation and modification timestamps · surface author software version revision count and producer chain · runs locally
  7. 07document metadata genealogy tracerdrop related documents · trace ancestor versions through metadata · revision counts · author chains · template references · printer fingerprints · reconstruct document family history · runs locally
  8. 08document metadata inconsistency finderdrop docx xlsx pptx pdf · core app props vs pdf info · temporal author revision heuristics · tracked changes timeline · runs locally

editorial overlap

3 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
case report generatorfatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlator

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward payroll fraud if you see…

  • unauthorized direct-deposit or routing-number edit in ADP/Workday/UKG audit export
  • ghost employee row, hours inflation, or termination-bypass pattern in HCM — not vendor invoice PDF
  • payroll-system anomaly without tampered AP invoice or bill.com vendor bank-change workflow

lean toward invoice fraud if you see…

  • tampered invoice PDF incremental updates or vendor bank-detail change in AP/bill.com audit
  • vendor lookalike payment request with paid-invoice artifact — not HCM direct-deposit export
  • AP approval-chain tamper tied to invoice artifact — not ghost employee in payroll platform
ready