fatcousin
// case comparison

wire fraud at closing vs BEC

homebuyer wired to a fraud account — intake often says BEC because it started in email. wire fraud at closing has alta settlement artifacts, title-software audit, and closing-packet docusign revision that generic BEC playbooks skip. wrong call sends title counsel to mailbox-rule graphs when they need qualia wire-instruction change detection — or sends AP fraud to MT103 when there is no title file number.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

wire fraud at closing · title escrow

homebuyer wired to fraud account — spoofed escrow-instruction email · closing-packet pdf revision · qualia/docusign audit · MT103 wire message. distinct from generic BEC — alta settlement and title file number in evidence.

  1. 01qualia title platform audit log forensic analyzerdrop qualia activity log · wire instruction diff · shield prior-wire · runs locally
  2. 02docusign real estate closing packet cert chain analyzerdrop docusign listauditevents export · alta/cd doc roles · closing correction chain · runs locally
  3. 03swift mt message forensic analyzerdrop swift mt103 / mt202 / mt940 messages · parse beneficiary + correspondent + amount · runs locally
  4. 04email header analyzerpaste raw email headers · trace hop-by-hop routing · SPF · DKIM · DMARC · detect spoofing · visualize delivery path · runs locally
  5. 05case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
case b

business email compromise (BEC)

vendor impersonation · payroll redirect · wire fraud · spoofed reply chains. evidence is almost always email headers, mailbox rules, and login telemetry.

  1. 01email header analyzerpaste raw email headers · trace hop-by-hop routing · SPF · DKIM · DMARC · detect spoofing · visualize delivery path · runs locally
  2. 02email thread reconstructordrop multiple .eml files · Message-ID References In-Reply-To tree · missing parent flags · flat timeline · CSV export · runs locally
  3. 03.eml / .msg email header chain analyzerdrop eml or msg email file or paste raw headers · parse all headers · reconstruct the full routing chain · extract all forensically significant fields · surface inconsistencies in the header chain · runs locally
  4. 04email spoofing and SPF/DKIM/DMARC header validatorpaste raw email headers or drop eml file · validate authentication headers · detect spoofing indicators · surface spf dkim and dmarc results · identify header inconsistencies indicating spoofed or forged email · runs locally
  5. 05received header hop analyzerpaste raw email headers or drop eml · parse all received headers · reconstruct smtp routing path hop by hop · compute per-hop timing · surface anomalous delays private ips and inconsistent hostnames · runs locally
  6. 06mailer and email client fingerprint identifierdrop eml files or paste headers · identify the email client or service that sent the message · detect inconsistencies between claimed and actual mailer · surface forged x-mailer headers and mailer fingerprint mismatches · runs locally
  7. 07email impersonation pattern detectordrop multiple eml files or paste headers · detect display name spoofing domain lookalikes and reply-to hijacking · identify impersonation patterns targeting specific individuals or organizations · surface BEC and CEO fraud indicators · runs locally
  8. 08mail rule parserdrop Outlook rules.dat or Thunderbird msgFilterRules.dat · rule names conditions actions · flag suspicious forward redirect · CSV export · runs locally

editorial overlap

4 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
email header analyzeremail thread reconstructorfatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlator

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward wire fraud at closing if you see…

  • spoofed escrow-instruction email paired with closing-packet pdf revision or qualia/docusign audit anomaly
  • MT103 or fednow wire message with earnest-money or closing disbursement purpose
  • title file number · alta settlement · RON session log in evidence profile
  • beneficiary ABA/routing change after file open in title-software audit

lean toward BEC if you see…

  • vendor or executive impersonation thread with AP/payroll redirect — no alta or title-software file
  • wire-fraud thread in email headers without closing-packet revision ghost layer
  • primary artifact is mailbox rules and login telemetry — not title platform export
ready