CFPS Field Manual — Fraud Prevention, Investigation & Disruption

1. 1

   Fraud Doctrine & The Adversary Model

   Establishes the operating model: fraud is an industry, not an event. This chapter is doctrine and governs every later chapter.

   The Five-Stage Fraud Pipeline

   Every mature fraud operation runs as a pipeline of five stages — lead generation, grooming, conversion, extraction, laundering — each with distinct operators, infrastructure and observable signals. Lead generation runs on ad platforms, leaked databases, social DMs and bought victim lists. Grooming builds parasocial trust over days or weeks, often using scripted playbooks recognizable across cases. Conversion is the moment the victim takes the first irreversible action (sends funds, signs a wallet approval, installs remote-access software). Extraction is the systematic emptying of the victim, frequently amplified by a 'tax', 'unlock fee' or 'profit-withdrawal verification' designed to maximize the take. Laundering moves value through exchanges, OTC desks, mixers, bridges and shell businesses. Disrupting any one stage cascades — taking down a grooming platform, an exchange off-ramp or a payment processor is more durable than chasing individual operators.

   Roles & Org Structure Of A Scam Operation

   Treat the adversary as an organization, not a person. Typical roles: the operator (financial owner), recruiters who hire call-center staff or 'closers', closers themselves (often human-trafficked labor in 'scam compounds' across SE Asia, the Gulf and West Africa), money mules who receive and forward funds, recovery scammers who re-victimize the same list, OTC launderers who convert crypto to cash, infrastructure providers (bulletproof hosting, fake-KYC vendors, SMS-gateway operators) and tooling providers (off-the-shelf scam-platform vendors). Attribution at the role level — 'this infrastructure cluster supports at least seven distinct frontend brands' — is far more durable than attribution at the individual level, because individuals churn while infrastructure persists.

   Why Fraud Is An Intelligence Problem

   A complaint is a data point. An investigation is a sequence of complaints scoped by a hypothesis. Intelligence is the synthesis that turns a pile of complaints into an actionable picture of the adversary, their infrastructure and their next move. CFPS posture is intelligence-first: a complaint feeds a case; a case feeds a cluster; a cluster feeds a brand-disruption operation. Every step is reproducible, sourced, confidence-rated and reviewable. The customer-service posture ('how do I help this victim recover funds') and the law-enforcement posture ('did a specific person commit a specific crime') both depend on the intelligence picture, not the other way around.

   Confidence Scoring & Analyst Caveats

   Every CFPS finding carries an explicit confidence level — low, moderate or high — tied to source quality, source independence and corroboration. 'High confidence' means the judgement is well-supported and unlikely to change without significant new information; it is not certainty. Caveats are first-class content: 'attribution is based on infrastructure overlap and could be invalidated by shared-hosting reuse', 'the on-chain trace ends at a centralized exchange and depends on KYC subpoena for further resolution', 'victim statement is uncorroborated by independent records'. Overstated confidence destroys credibility faster than any single bad call.

   Legal & Ethical Boundaries

   CFPS operates inside the law of the analyst's jurisdiction, the platform's terms of service and a written ethics policy. Bright lines: do not contact suspects under false legal authority, do not impersonate law enforcement, do not deceive victims for analytic convenience, do not retain victim PII beyond what the case requires, do not republish images of identified victims, do not use stolen credentials or breach data as evidence in regulated proceedings. The gray zone — pretexting a scam call-center under a persona, joining a closed Telegram group, archiving content from ToS-restricted platforms — is handled by a written rules-of-engagement document signed before the operation starts.

2. 2

   Scam Typologies — Pattern Library

   A reference taxonomy of the dominant modern fraud schemes. Each typology is described by mechanism, indicators, victim profile, money flow and disruption seams.

   Pig-Butchering / Romance-Investment Hybrid

   The dominant high-value scheme of the modern era. Inbound contact via dating apps, WhatsApp 'wrong-number', LinkedIn, or social DMs; weeks of relationship grooming before any financial topic; introduction of a 'family member's' or 'friend's' supposedly proprietary crypto-trading platform; small initial deposit allowed to 'profit'; permitted partial withdrawal to cement trust; escalating deposits; ultimate 'tax', 'KYC unlock' or 'AML hold' that requires more deposits to release. Indicators: brand-new white-label trading dashboard, withdrawal buttons that always return 'pending', round-trip URLs that vary per victim, USDT/TRX deposit addresses, persona images that fail reverse-image search at the edges, infrastructure that clusters across dozens of brand fronts. Money flow: victim → TRC-20 USDT deposit address → tumbler / chain-hop → OTC desk → fiat. Disruption seams: domain registrar / hosting takedown of the dashboard cluster, exchange freezes on deposit addresses, payment-processor takedowns of the on-ramp.

   Investment / Trading-Platform Fraud (Standalone)

   Distinct from pig-butchering in that the relationship is purely 'business-broker' from the start: cold-call or display-ad lead, 'account manager' who allegedly trades on the victim's behalf, dashboard showing fabricated gains, eventual withdrawal block tied to a fictitious tax or compliance demand. Often paired with celebrity-endorsement fake-news ad creatives and ghost regulators whose 'license numbers' do not exist. Indicators: regulator name absent from real registries, address mapped to a serviced office, dashboard hosted on the same template as a dozen siblings, account-manager phone numbers churned weekly.

   Recovery Scams (Re-Victimization)

   Targets exclusively prior victims. Inbound contact claims to be a 'crypto recovery firm', 'blockchain forensics lawyer', 'government task force' or 'investigator from your bank'. Demands an upfront 'retainer', 'court fee' or 'gas fee' to begin recovery work; vanishes once paid. Frequently scrapes leaked complaint lists or buys victim lists from the original operators. Indicators: unsolicited contact, demand for crypto payment of fees, 'official' branding pirated from real agencies, claims of guaranteed recovery. Standing CFPS rule: legitimate recovery does not require victim-paid crypto retainers, and law enforcement never takes payment from victims.

   Business Email Compromise (BEC) & Vendor Fraud

   Compromise or spoof of an executive, supplier, lawyer or escrow agent's email; insertion into an existing transaction at the moment of payment; updated wire instructions to a controlled account. Variants: CEO-fraud (urgent wire from 'the CEO'), invoice-redirection (genuine supplier invoice with altered IBAN), payroll-diversion (HR email pivoted to redirect salary deposits), real-estate-closing fraud (escrow instructions altered in transit). Indicators: lookalike domains (rn for m, .co for .com), reply-to header divergent from from-header, account changes during a transaction in progress, urgency pressure, refusal to verify by phone using known-good numbers. Highest-leverage control: out-of-band callback to a number known before the email arrived.

   Tech-Support, Refund & Government-Impersonation Scams

   Browser pop-up or cold call claiming the victim's device, account or social security number is compromised; remote-access tool installed; bank accounts emptied via wire or gift cards; sometimes paired with a 'refund' twist where the scammer 'overpays' a refund and demands the victim return the surplus. Government-impersonation variants threaten arrest unless a 'verification deposit' is made in crypto, gift cards or wire. Indicators: pressure for immediate action, payment in non-reversible rails (gift cards, crypto, money mules), refusal to permit victim to consult a third party, fake caller ID matching real agencies.

   Crypto-Specific Schemes — Drainers, Approvals, Address Poisoning

   Wallet-drainer kits sold as SaaS to operators: malicious dApp prompts the victim to sign an ERC-20 approval or setApprovalForAll on NFTs, draining tokens on confirmation. Address-poisoning attacks seed the victim's transaction history with addresses that visually match prior counterparties, causing copy-paste errors on the next send. Fake-airdrop and fake-bridge sites harvest seed phrases. Indicators: signature requests for unbounded approvals, dust transactions from spoofed addresses, search-engine-ad-promoted dApp URLs that differ from canonical URLs by one character. Defensive doctrine for victims: revoke all approvals on suspicion, never sign blind, type the canonical URL.

   Marketplace, Rental & Job-Offer Frauds

   High-volume, low-per-incident schemes that aggregate into significant harm. Fake job offers harvest IDs and bank credentials for downstream identity theft, or rope victims into reshipping and money-muling. Rental scams collect deposits for properties the operator does not own. Marketplace scams pivot a real listing to an off-platform 'shipping service' that intercepts payment. Indicators: off-platform payment requests, demands for ID/bank details outside the platform's verified flow, prices significantly below market, refusal to allow in-person inspection.

3. 3

   Social Engineering & Victim Psychology

   Why people fall for these schemes, what the operators exploit, and how a CFPS analyst interviews victims without re-traumatizing them or contaminating the record.

   Cialdini's Six + Three Operational Levers

   Social engineering is applied behavioral science. Cialdini's six principles — reciprocity, commitment & consistency, social proof, authority, liking, scarcity — are weaponized in every successful playbook, joined by manufactured urgency, fear-of-missing-out and the sunk-cost trap. Pig-butchering leans heavily on commitment & consistency (small first deposit → bigger ones) and on liking (weeks of grooming). BEC leans on authority (CEO) and urgency (wire today). Recovery scams lean on hope (you can still get your money back). Recognising the lever in a victim's narrative is half the typology call.

   Why Smart People Get Scammed

   Victim shaming is operationally counterproductive: it silences witnesses and biases the evidence base toward the loud. The actual risk profile cuts across IQ, education and income — the controlling factors are loneliness, life-transition stress (divorce, bereavement, retirement, job loss), recent financial windfall, declining health, isolation from trusted second opinions, and the targeted-marketing efficiency of modern lead-generation. The CFPS analyst's posture toward the victim is professional, calm and non-judgemental. Operationally this matters because the next ten victims are watching how this one was treated.

   The Victim Interview — Structure & Tradecraft

   The CFPS victim interview is structured to maximize accurate recall and minimize contamination. Open with the consent and scope (what you are doing, what you can and cannot do for them, what will happen with their information). Take the narrative in the victim's own words first, uninterrupted; only then go back and unpack specifics — names, handles, URLs, dates, amounts, wallet addresses, channels of contact. Use open questions ('walk me through how you first heard from them') before closed questions ('what was the exact URL'). Never lead. Never confirm a fact for the victim that they did not themselves state. Record the interview where lawful and with consent; otherwise contemporaneous notes with timestamps.

   Evidence The Victim Has — What To Ask For

   A standard CFPS evidence ask covers: the original contact channel and handle/number/email, all screenshots and chat exports (request full exports, not curated highlights), URLs of any platforms touched (with timestamps of access), wallet addresses sent to, bank/wire details where applicable, copies of any IDs the victim was asked to submit, payment receipts, and any documents (invoices, contracts, fake licenses, fake regulator letters) provided by the operator. Hash every artifact on receipt; do not edit the originals; work from copies.

   Secondary Harms & Duty Of Care

   Major fraud losses correlate with measurable secondary harms: depression, isolation, suicide risk, family rupture, job loss. The CFPS analyst is not a clinician but has a duty to recognize warning signs in interviews and to provide referrals to victim-support services in the relevant jurisdiction. Operational rule: do not press a visibly distressed victim for additional detail in a single session; resume on a later day. The case will still be there.

4. 4

   Investigation Workflow & Case Triage

   How a CFPS case progresses from intake to disruption — the priority intelligence requirements, the collection plan, the case file structure, and the triage discipline that lets a small team handle a high inbound volume.

   Intake, Priority Intelligence Requirements & EEIs

   Every case opens with a written PIR set: 'who is the operator', 'what infrastructure cluster does this belong to', 'where did the money go', 'what is the live disruption opportunity'. Each PIR decomposes into Essential Elements of Information (EEIs): the operator's persona handles, the brand's domain & hosting cluster, the deposit-address chain on-chain, the off-ramp exchange. Each EEI is assigned to a collection method (OSINT, on-chain, partner-liaison, legal-process) and a deadline. Without this ladder, investigation becomes scavenging and analysis becomes opinion.

   Case File Structure & The Working Picture

   Every CFPS case file follows a fixed structure: case header (ID, opened-by, opened-date, status, classification), victim register (per-victim record with PII access-controlled), narrative timeline, entity register (handles, domains, wallets, businesses, persons-of-interest), evidence appendix (hashed artifacts with provenance), analyst log (who did what, when), and a working picture (a one-page diagram of the operator, brand, infrastructure cluster, money flow and disruption seams as currently understood). The working picture is updated continuously and is the artifact the team works from in daily sync — not the long-form report.

   Triage — High-Volume Intake Discipline

   A CFPS cell with limited capacity triages inbound complaints by impact and tractability. Impact: dollar loss, victim count, vulnerability of the victim population, criticality of the targeted institution. Tractability: live infrastructure still up, money still on-chain or pre-cash-out, identifiable cluster, achievable legal/regulatory pathway. Cases scoring high on both jump the queue. Low-impact / low-tractability cases are logged into the cluster picture (they may corroborate a future high-value case) but not worked individually. The discipline of saying 'logged, not worked' is what keeps the cell from collapsing under inbound volume.

   Pivoting & Cluster Construction

   A single complaint resolves to a single brand. Cluster construction expands from brand to operator by pivoting on shared indicators: registrant emails, name-server sets, TLS certificate fingerprints, Google Analytics IDs, Telegram channel admin handles, recurring wallet addresses, recurring deposit-instruction patterns, recurring victim-onboarding script language, recurring image assets across brand fronts. A cluster is reported as an attribution at the operator level only when at least one durable infrastructure indicator anchors the inference; brand-level coincidence alone is not enough.

   Working With Law Enforcement & Regulators

   CFPS analysts produce intelligence products consumable by enforcement, not enforcement actions themselves. The analyst's value to LE/regulator is a clean, sourced, confidence-rated picture that shortens their investigation timeline. Standard product set: cluster brief (the picture), evidence bundle (hashed artifacts), recommended actions (takedowns, freezes, subpoenas, public warnings) and the open information gaps. Maintain a known-good liaison list per jurisdiction; route by jurisdiction of the victim, of the operator and of the financial rail in that order.

   Disruption Seams

   Disruption is the operational output. High-leverage seams in order of typical effectiveness: hosting/registrar takedown of the live infrastructure (kills the brand within hours), exchange freezes on operator deposit addresses (preserves funds for recovery), payment-processor / card-acquirer offboarding (kills the on-ramp), social-platform account takedown (slows lead generation), public warning publication (collapses the brand's organic search traffic), and law-enforcement action (slowest but most durable). A mature CFPS cell maintains live channels into each seam and times the seams to fire in sequence to maximize damage to the operator.

5. 5

   Evidence, Provenance & Reporting

   How CFPS evidence is captured, preserved and presented so that it survives challenge from defence counsel, regulators, journalists and the operator themselves.

   Chain-Of-Custody Standard

   Every captured artifact carries source URL (full canonical), capture timestamp in UTC with the analyst's clock source, capturing operator handle, SHA-256 of the file, parallel save to an immutable archive (archive.today, Internet Archive, or an internal evidence vault), and the rendering tool/version. Screenshots are augmented with a full-page DOM capture (HTML + assets) where possible because a screenshot can be cropped or relabeled in seconds. The standard is simple: if a prosecutor, regulator, journalist or adversary cannot reproduce your evidence, you do not have evidence — you have a story.

   Victim PII Handling

   Victim PII is the most sensitive material in the case file and the most often mishandled. Standard controls: store PII separately from the analytic narrative; access-control by role; never publish PII in cluster briefs (use case-id references); redact victim faces, voices and identifying detail from any externally shared evidence; obtain written consent before any external sharing of victim materials; retain only what the case requires and for only as long as the case requires; document the retention schedule. Regulator-mandated controls (GDPR, CCPA, sectoral rules) take precedence over operational convenience.

   Writing The Cluster Brief — BLUF, Findings, Evidence Appendix

   The CFPS standard product opens with a BLUF (3–5 sentences: judgement, confidence, so-what). The executive summary expands for non-specialist readers. Findings are numbered, each with confidence, sourcing and the specific evidence trail. An entity register lists the handles, domains, wallets and businesses with their roles. An evidence appendix preserves URLs, archives, hashes, capture times and the capturing operator. Recommendations are separated from findings so the consumer can act on the analysis without conflating it with the analyst's preferences.

   Public Warnings — Drafting Discipline

   Public-facing warnings are intelligence products with the widest possible audience and the highest legal exposure. Drafting rules: name only what is evidentiable to a high standard; never publish unredacted victim PII; avoid claims that prejudice future criminal proceedings; offer the named entity a right of reply in writing where the jurisdiction requires it; cite the evidence basis in plain language; provide an update channel because brand fronts mutate hourly. A warning that is wrong or imprecise is a liability — and worse, it teaches the operator exactly which indicators to vary.

   Working With Journalists

   Journalism is a force multiplier for disruption — a well-placed story collapses a brand's search traffic faster than most takedowns — but it is also the channel most likely to mishandle victim PII and to compress the analyst's caveats into a confident headline. Rules: brief on background, share evidence under a written embargo, insist on a fact-check pass on every named entity, and refuse to participate where the outlet will not redact victim identity. Track the published story against the brief and log divergences for the next engagement.

GACS.app — Academic & Intelligence Standards Division