The Fraud Investigation Checklist: What to Gather Before You Start
Introduction
Most fraud investigations fail not because the evidence wasn't available — but because it wasn't captured before it disappeared. Scammers cycle through VoIP numbers in days, delete social profiles within hours of being confronted, and abandon email addresses the moment a victim stops responding. The single biggest predictor of whether a fraud investigation succeeds is how much was documented before the investigation formally began.
This fraud investigation checklist is the pre-flight list. Whether you are a victim preparing to report a scam, a private investigator opening a case, or a fraud analyst building a file, this is what to gather — and in what order — before you take a single investigative step. The earlier you run a phone number lookup and lock down the digital trail, the more of it survives.
Why Pre-Investigation Documentation Matters
A fraud investigation is only as strong as its earliest records. Three realities make the "gather first" rule non-negotiable:
- Fraud infrastructure is disposable. A scam phone number lookup run today may return a live VoIP line; run a week later, it returns a disconnected number with no trail.
- Evidence has a chain of custody. Screenshots taken at the time, with timestamps, carry far more weight with banks, the FTC, and law enforcement than a recollection written down later.
- Investigation is iterative. Each data point — a number, an email, a username — becomes the input for the next lookup. Missing the first link breaks the whole chain.
The checklist below is organized into five evidence categories. Work through them in order.
The Fraud Investigation Checklist
1. Contact Identifiers (Capture First — These Decay Fastest)
This is the highest-priority category because phone numbers and accounts are abandoned quickly. Record every identifier the fraudster used to reach you:
- Every phone number that called or texted — including spoofed or "neighbor" numbers
- Email addresses used in any message
- Social media handles / profile URLs (screenshot the full profile, not just the name)
- Messaging app accounts — WhatsApp, Telegram, Signal display names and numbers
- Usernames on any platform where contact occurred
- Any website or domain the scammer linked to
Run a reverse phone lookup immediately. A phone number OSINT check on the live number captures line type, carrier, and any linked accounts while the number is still active. This is the single most time-sensitive step in the entire checklist.
2. Communication Records
The full message history establishes intent, timeline, and method:
- Screenshots of every conversation — full-screen, with visible timestamps
- Call logs showing date, time, and duration of each call
- Voicemails — save the audio files, don't just transcribe
- Original emails with full headers (headers contain routing data investigators can trace)
- Any documents, photos, or files the scammer sent
3. Financial Trail
If money or financial data changed hands, this becomes the core of any law-enforcement referral:
| Record | Why It Matters |
|---|---|
| Transaction receipts / confirmations | Establishes amount and date of loss |
| Bank or card statements | Shows the money movement path |
| Crypto wallet addresses | Traceable on-chain; critical for pig-butchering cases |
| Wire transfer details | Recipient bank and account, recoverable in some cases |
| Gift card numbers / receipts | Common scam payment method; sometimes reversible if reported fast |
| Payment app records (Zelle, Cash App, Venmo) | Shows recipient handle and timestamp |
4. Phone OSINT & Line Intelligence
This is where a phone fraud investigation separates a real lead from a dead end. Before escalating, run the number through a full enrichment lookup and record the results:
- Line type — mobile, landline, or VoIP. VoIP is the dominant fraud signal. Most scam operations run on VoIP numbers provisioned in bulk, so a VoIP result on a "personal" number is an immediate red flag.
- Carrier — and whether it matches the claimed location
- Geographic origin — country and region of registration
- Linked social accounts — profiles registered to the number
- Breach exposure — whether the number appears in leaked datasets (often surfaces an associated email)
- Spam / fraud database flags — prior scam reports tied to the number
A combined scam phone number lookup that returns all of these in one query is the fastest way to build this part of the file. DefenceCore runs line type, carrier, linked accounts, breach records, and fraud flags from a single number input — exactly the enrichment stack this stage of the checklist calls for.
5. Context & Personal Records
The details that establish how the fraud unfolded:
- Timeline — when first contact occurred, key dates, when you realized it was fraud
- The pretext — what the scammer claimed (job offer, romance, investment, IRS, tech support)
- What information you disclosed — so you know your own exposure
- Any accounts that may be compromised as a result
- Witnesses — anyone else contacted by the same number or scheme
Organizing the Evidence: Building a Case File
Once gathered, structure the evidence so it's usable. A clean fraud case file has:
- A single chronological log — every event with a date and time
- A folder per identifier — one for each phone number, email, and account, with its phone number OSINT results attached
- A financial summary — total loss, payment methods, recipient details
- Original files preserved — never edit or crop originals; annotate copies instead
This structure mirrors how professional investigators work, and it's the format banks and law enforcement can act on without asking you to reconstruct anything.
What NOT to Do Before You Investigate
Three mistakes routinely destroy otherwise-strong cases:
- Don't confront the scammer. Tipping them off triggers the cleanup — numbers disconnected, profiles deleted, your reverse phone lookup window closed.
- Don't delete anything. Even blocked numbers and "obvious spam" texts are evidence.
- Don't rely on memory. Screenshot and export now; a phone scam investigation built on recollection is far weaker than one built on captured records.
When to Escalate — and Where
Once the checklist is complete, you have what each channel needs:
| Channel | What It Handles | What to Bring |
|---|---|---|
| Your bank / card issuer | Reversing transactions, freezing accounts | Financial trail (Category 3) |
| FTC (reportfraud.ftc.gov) | U.S. consumer fraud reporting | Full checklist |
| IC3 (ic3.gov) | FBI internet crime, larger losses | Full checklist + phone OSINT |
| FCC | Spoofing / illegal call complaints | Contact identifiers + call logs |
| Local police | Reports needed for insurance/banks | Case file summary |
The completed fraud investigation checklist is what turns a report from "someone scammed me" into a documented case with traceable leads.
FAQ
What should I gather before starting a fraud investigation? Capture contact identifiers first (phone numbers, emails, social accounts), then communication records, the financial trail, phone OSINT results, and the contextual timeline. Phone numbers and online accounts decay fastest, so run a reverse phone lookup before anything else.
What is the first step in a fraud investigation? Documenting and enriching the contact identifiers — especially the phone number. A phone number OSINT lookup while the number is still active captures line type, carrier, and linked accounts that vanish once the scammer abandons the number.
How do I investigate a scam phone number? Run a scam phone number lookup that returns line type, carrier, geographic origin, linked social accounts, breach exposure, and fraud-database flags. A VoIP line type is the strongest single indicator of a scam operation.
Why is VoIP important in a phone fraud investigation? VoIP numbers can be created in bulk, spoofed, and discarded without a billing trail, which is why most scam operations use them. A VoIP result on a number presented as a personal mobile is an immediate red flag worth documenting.
What evidence do I need to report fraud to the FTC or police? A complete fraud case file: a chronological timeline, screenshots of all communication, the financial trail, and phone OSINT results for each number involved. The more documented the file, the more actionable the report.
Should I contact the scammer to get more information? No. Confronting a scammer triggers cleanup — numbers get disconnected and profiles deleted, closing your reverse phone lookup and evidence-gathering window. Gather and enrich everything silently first.
What is a fraud case file? A structured record of a fraud incident: a chronological event log, a folder per identifier with its phone number lookup results, a financial summary, and preserved original evidence — formatted so banks and law enforcement can act on it directly.
Conclusion
The difference between a fraud investigation that goes somewhere and one that stalls is almost always decided before the investigation starts. Fraud infrastructure is disposable by design — so the records you capture in the first hours are the ones that survive to become leads.
Work the checklist in order: contact identifiers first, then communications, financials, phone OSINT, and context. Run the reverse phone lookup while the number is live. Preserve originals. Don't tip off the subject. By the time you escalate to your bank, the FTC, or law enforcement, you'll have a documented case file instead of a story.
To build the phone-intelligence portion of your file — line type, carrier, linked accounts, breach exposure, and fraud flags from a single number — DefenceCore runs the full phone number OSINT lookup in one query.
Related reading: the stages of a fraud investigation and romance scam phone number investigation.