Online Fraud and Financial Cybercrime

Phishing campaigns begin with attacker-controlled infrastructure: a domain that visually mimics a legitimate brand, a web server hosting a credential-capture page, and an email sending service that bypasses spam filters. The domain is typically registered days or hours before the campaign launches using privacy-protected registrars, then abandoned after the campaign to complicate attribution. The sending email often spoofs the From header to display a legitimate-looking name while routing through bulletproof or compromised mail servers.

Mass phishing relies on volume: millions of messages are sent in the hope that a fraction of recipients will click the link and submit credentials. Spear-phishing reduces volume and increases targeting. The attacker researches the victim through social media, company websites, and prior data breaches, then crafts a message referencing a plausible context: a shared project, a pending invoice, a supplier relationship. Spear-phishing is the primary delivery method for BEC and many ransomware intrusions.

Email headers are the first evidence layer. The Received chain shows the actual SMTP relay path, which often differs from the spoofed From address. The X-Originating-IP header, where present, records the IP address of the machine that injected the message. Comparing the originating IP to the claimed sender domain using SPF and DKIM records reveals whether the email passed or failed authentication. Many jurisdictions now accept SPF/DKIM failure as evidence that a message was spoofed.

BEC begins with reconnaissance. The attacker identifies the target organisation's payment workflow, including who authorises large transfers, which suppliers are paid by wire, and what email conventions the organisation uses. Reconnaissance may come from open sources (company website, LinkedIn, press releases) or from a prior phishing attack that gave the attacker silent access to the email account of an employee involved in payments.

The fraud email may originate from a fully compromised legitimate account (account takeover) or from a lookalike domain registered to mimic the genuine one. In account takeover BEC, the attacker sets a mailbox rule to delete replies from the finance team before the real account owner sees them, maintaining the illusion of a clean inbox. Evidence of this rule, a forwarding filter or auto-delete rule visible in mailbox configuration logs, is often the clearest indicator of compromise.

Wire transfers in BEC cases typically move through a domestic mule account before being forwarded internationally. US banks participating in the Financial Crimes Enforcement Network (FinCEN) system and the UK's Faster Payments network both have recall mechanisms, but the window is narrow, often 24 to 72 hours. Investigators who receive a BEC report should treat the first call to the victim's bank as a higher priority than evidence collection: a successful recall eliminates the financial harm. Evidence collection follows immediately after the recall request is lodged.

CNP fraud requires payment card data. Attackers obtain it through three primary channels: data breaches at retailers or payment processors (which yield bulk card dumps), phishing or formjacking that captures card data at the point of entry, and carding marketplaces on the dark web where stolen card data is traded. The card dump typically includes the primary account number (PAN), expiry date, cardholder name, and billing address. The CVV is often captured separately through phishing because it is prohibited from being stored by PCI-DSS and therefore less commonly present in breaches.

Attackers test stolen card data through low-value authorisation attempts against merchant APIs, a technique known as card checking or carding. Successful checks confirm the card is live and not yet blocked. The data is then used directly for purchases or sold on carding forums at higher prices because viability has been confirmed. Investigators can identify carding probes in merchant logs through high-frequency, low-value authorisation requests from a single IP address or device fingerprint.

Evidence in CNP cases sits at the merchant and payment processor level. Acquirer and issuer logs record the IP address, device fingerprint, billing address entered, and shipping address for every transaction. Mismatches between billing and shipping addresses, IP geolocation outside the cardholder's country, and velocity anomalies (many transactions in a short window) are the primary signals. Payment processors retain these logs for varying periods; investigators should issue preservation requests as early as possible because log retention periods vary from 90 days to one year.

Investment scams and advance-fee fraud share a common structure: the victim is promised a future gain conditional on an upfront payment. In advance-fee fraud (the classic 419 scheme), the promised gain is notional, a lottery prize, an inheritance, or a government contract, and every payment the victim makes generates a new pretext for another payment. In investment fraud, the promised gain is styled as a return on capital: cryptocurrency trading platforms, forex robots, or commodity funds that show fabricated profits on a fake dashboard until the victim attempts to withdraw.

Pig butchering (sha zhu pan) is a high-value variant that combines romance fraud with investment fraud. The attacker builds a relationship with the victim over weeks or months, often through a misdelivered-message opener on WhatsApp or Telegram, then introduces a cryptocurrency investment opportunity. The victim is onboarded to a fake trading platform, shown convincing profits, and encouraged to deposit increasing amounts. When the attacker decides the victim is exhausted, withdrawal requests are blocked with pretexts (taxes, compliance fees), and contact ends. Losses per victim regularly exceed USD 50,000 and can reach seven figures.

Evidence in investment fraud cases includes domain registration records for the fake trading platform, SSL certificate history, IP hosting records, payment rails used for deposits (cryptocurrency addresses, bank wire details), communication metadata from WhatsApp or Telegram, and the victim's transaction receipts. Where victims used cryptocurrency, blockchain analytics can trace the destination wallets, often revealing aggregation points that link multiple victims to the same fraud group.

No financial fraud scheme ends with the stolen money sitting in the attacker's bank account. Moving funds from the victim's account to a point where the attacker can access them requires a layering step. For fiat currency, the layering layer is the money mule network. For cryptocurrency fraud, the layering layer is a combination of mixing services, chain-hopping (converting between cryptocurrencies), and cash-out at exchanges.

Money mules are recruited through job advertisements (offering work-from-home payment processing roles), romance relationships, and direct solicitation on social media. A mule receives funds into their personal bank account and is instructed to withdraw cash or convert to cryptocurrency and send it to an address controlled by the fraud operator. The mule's account absorbs any financial institution fraud flags that would otherwise reach the operator. Investigating a mule account often reveals a pattern of rapid incoming and outgoing transfers, multiple transactions on the same day, and beneficiaries in high-risk jurisdictions.

Cryptocurrency cash-out relies on the transparency of public blockchains. Blockchain analytics platforms allow investigators to map fund flows from a victim payment address through mixer inputs and outputs, cross-chain bridges, and ultimately to exchange deposit addresses. When a regulated exchange enforces know-your-customer (KYC) identity verification, a court order or mutual legal assistance request can compel disclosure of the account holder's identity, linking the on-chain trail to a real person. The EU's Markets in Crypto-Assets Regulation (MiCA) and India's Prevention of Money Laundering Act (PMLA) reporting obligations for virtual asset service providers both create disclosure frameworks that investigators use.

Financial cybercrime is prosecuted under a combination of substantive fraud law and cybercrime-specific statutes. The applicable statute depends on the jurisdiction and the specific conduct. Investigators must identify the right charging framework early because it determines what warrants are available, which agencies have jurisdiction, and what mutual legal assistance channels can be used.

Digital evidence in financial cybercrime cases must meet admissibility standards. In India, the Bharatiya Sakshya Adhiniyam 2023 (which replaced the Indian Evidence Act 1872) governs electronic records; section 63 requires a certificate from a responsible official confirming the integrity of the electronic record. In the UK, the Police and Criminal Evidence Act 1984 and the best-evidence rule require that digital evidence be collected without alteration, with a documented chain of custody and a hash value comparison to prove integrity. US federal courts apply the Federal Rules of Evidence, particularly Rule 902(13) and (14) on self-authenticating electronic evidence.

Cross-border financial cybercrime requires mutual legal assistance treaties (MLATs) or informal police-to-police channels such as Interpol notices or Europol operational coordination. MLAT requests are slow, often taking six to twelve months, so investigators prioritise preservation requests (fast) over disclosure requests (slow). The Budapest Convention on Cybercrime, which over 60 states have ratified, provides an expedited preservation mechanism under Article 29 that allows a requesting state to freeze evidence within 90 days while the formal MLAT process runs.