fatcousin
// case comparison

report fraud vs tech support scam

individual victim at 11pm — pop-up scam vs how do I report to ic3/ftc? report-this-fraud is the consumer-fraud entry point for agency draft prep when there is no active remote-access session to triage. tech-support-scam is endpoint forensics when a call center installed RDP/RMM and demanded gift cards or wires. wrong call sends victims to remote-desktop-log-clearing-detector when they need ic3/ftc prep-kits — or vice versa, missing live RMM artifacts while only building report drafts.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

report this fraud

kitchen-at-11pm entry — you were scammed and need an official report. four prep-kits turn receipts · chat logs · bank exports into draft ic3 · ftc · cfpb · state ag filings you submit yourself. pick the right agency after you preserve evidence and quantify loss.

  1. 01ic3 fbi cybercrime complaint prep kitvictim evidence → ic3 complaint draft · json + section outline · draft only · runs locally
  2. 02ftc report fraud submission prep kitvictim evidence → reportfraud.ftc.gov draft · json + checklist · draft only · runs locally
  3. 03cfpb financial complaint prep kitvictim evidence → cfpb complaint draft · json + summary · draft only · runs locally
  4. 04state ag consumer complaint multi-state prep kitvictim evidence → ny/ca ag complaint draft · json + summary · ny+ca only · runs locally
  5. 05case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
case b

tech support scam

pop-up → call center → remote-access install → gift-card / wire payout. evidence is RDP / RMM tooling and the call recording / payment.

  1. 01remote desktop log clearing and gap detectordrop rdp evtx csvs · detect rdp session log gaps · identify rdp channel clearing · surface rdp session reconstruction with cleared log indicators · runs locally
  2. 02rdp cache parserdrop .bmc/.bin cache files · RDP8 magic or legacy BGRA tiles · thumbnail grid · hide uniform tiles · export zip · runs locally
  3. 03live response tool execution artifact detectordrop prefetch shimcache amcache or 4688 evtx csv · detect live response and triage collection tool execution · identify when and how live response was performed · surface kape triage collector and incident response tool artifacts · runs locally
  4. 04LOLBin execution burst detectordrop 4688 or sysmon evtx csv · detect living off the land binary execution · identify lolbin abuse patterns · surface unusual lolbin invocations and burst usage · runs locally
  5. 05browser history extractordrop a Chrome or Firefox SQLite history DB · extract URLs · visit counts · timestamps · typed URLs · export CSV · runs locally
  6. 06browser extension analyzerdrop Chrome or Firefox extension folder or .crx · parse manifest · permissions · background scripts · content scripts · flag dangerous permissions · export report · runs locally
  7. 07chrome extension analyzerdrop crx or manifest.json · permissions audit · content scripts · risk score · script patterns · runs locally
  8. 08powershell deobfuscatorpaste obfuscated powershell · base64 utf-16 · deflate gzip · concat replace · char arrays · multi-pass · iocs · runs locally

editorial overlap

3 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
case report generatorfatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlator

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward report fraud if you see…

  • victim needs ic3 · ftc · cfpb · or state ag complaint normalization — no live remote-access session on the device right now
  • money already lost via wire · crypto · or gift card — evidence is receipts and chat logs, not powershell or RDP cache
  • primary ask is which agency form to file — not whether AnyDesk or ScreenConnect is still installed

lean toward tech support scam if you see…

  • active or recent RDP/RMM install tied to a fake support pop-up or unsolicited phone call
  • remote-desktop-log-clearing-detector or lolbin burst on the endpoint during the scam session
  • gift-card purchase pressure or screen-sharing while malware persists — triage device before filing reports
ready