// first 10 minutes
invoice fraud / vendor account change — quick-start
invoice fraud — first 10 minutes. freeze the payment, preserve the email thread. print this, check boxes, then run the primary tools.
checklist
- call the originating bank immediately if a wire or ACH was initiated — recall window is 24–72 hours.
- call the legitimate vendor at a known phone number (not from the invoice) — confirm whether they sent the payment change request.
- preserve the fraudulent invoice as a PDF and the email delivering it as a .eml — do not forward.
- preserve the legitimate vendor's prior invoice for comparison — metadata differences are the evidence.
- export email send/receive headers for the fraudulent invoice email — look for lookalike domains and reply-to manipulation.
- pull mailbox rules for the accounts involved in the AP or procurement chain — rules are often added to intercept correction emails.
- export sign-in logs for accounts that approved or processed the payment change request.
- compare the payment instructions (routing/account number) against the vendor's on-file bank details — note the delta.
- file at ic3.gov with the recipient account number and wire reference — financial institutions respond faster to IC3 flagged cases.
- begin the primary tool path below — email header analyzer and invoice metadata comparison tool.
primary tools
- 01email header analyzerpaste raw email headers · trace hop-by-hop routing · SPF · DKIM · DMARC · detect spoofing · visualize delivery path · runs locally
- 02email thread reconstructordrop multiple .eml files · Message-ID References In-Reply-To tree · missing parent flags · flat timeline · CSV export · runs locally
- 03.eml / .msg email header chain analyzerdrop eml or msg email file or paste raw headers · parse all headers · reconstruct the full routing chain · extract all forensically significant fields · surface inconsistencies in the header chain · runs locally
- 04pdf object explorerdrop a PDF · parse raw object tree · detect embedded JavaScript · /Launch actions · encrypted streams · /EmbeddedFile · suspicious patterns · export report · runs locally
- 05pdf forensicsdrop a pdf · inspect objects and streams · extract javascript · embedded files · suspicious actions · object tree · malware analysis · runs locally
- 06pdf author and revision metadata deep analyzerdrop pdf file · extract all document information dictionary and xmp metadata · parse creation and modification timestamps · surface author software version revision count and producer chain · runs locally
- 07document metadata genealogy tracerdrop related documents · trace ancestor versions through metadata · revision counts · author chains · template references · printer fingerprints · reconstruct document family history · runs locally
- 08document metadata inconsistency finderdrop docx xlsx pptx pdf · core app props vs pdf info · temporal author revision heuristics · tracked changes timeline · runs locally