Last week, an investigator asked me a common question: “Does a copy of a check deposited via mobile banking app qualify as the actual check?”

I’m not a lawyer, so don’t listen to me.

In 2004, Congress enacted the Check Clearing for the 21st Century Act, known as Check 21. It aimed to speed up check processing by allowing banks to handle checks electronically instead of shipping paper. The law introduced the “substitute check”: a paper printout of a digital image that has the same legal status as the original check. Essentially, this means that a digital copy created during mobile deposit can legally stand in for the physical check. The substitute check isn’t just evidence of the original; it is considered the original in legal terms.

This marked a significant shift from traditional negotiable instruments law, which relied on physical possession of the original document. Congress deemed these efficiency improvements worth the tradeoff, which is now crucial to the financial system.

For investigators, this raises questions about the Best Evidence Rule, which requires producing the original document unless there’s a valid reason not to. When the original check is unavailable, such as when it’s destroyed after digital imaging or submitted via mobile deposit, courts have accepted that the substitute check under Check 21 is legally equivalent to the original.

Presenting the digital copy satisfies the Best Evidence Rule because the law equates the two.

Congress knew that this approach posed a tradeoff; it enhanced efficiency and reduced costs but diminished certain forensic and evidentiary capabilities. Protections for consumers, like indemnity for incorrect substitute checks, exist, but they do not resolve issues in criminal cases where key evidence might be missing. While the law requires substitute checks to display certain legends clarifying they are reproductions, this does not help detect digital fraud exploits.

So, to revisit the question: does a mobile deposit image count as the actual check? Legally, I believe it does. However, I only play attorney online, so consult your prosecutor for certainty.

Speaking of checks

The News

Between July and December 2025, Team Cymru investigated carding infrastructure through internet-wide scanning, passive DNS, and NetFlow data. Their goal was to identify and monitor illicit carding markets and forums. By searching for keywords like “CVV” and “Carding” in HTTP/HTTPS banners and examining X509 certificates, they identified 28 unique IP addresses hosting carding activities. Many of these were linked to domains with TLDs such as .su, .cc, and .ru, often hosted by offshore providers like Privex that offer privacy-intensive VPS services, allowing cybercriminals to operate with minimal oversight. The findings underscore the role of carding markets as transactional platforms and forums as social hubs for cybercriminals. https://www.team-cymru.com/post/analysing-carding-infrastructure

Two Pittsburgh business owners face charges from the Pennsylvania Attorney General's Office for conspiracy and handling proceeds of illegal activities, accused of conducting a complex EBT card fraud scheme. The investigation found that they bought EBT cards at discounted prices from benefit recipients, then used those cards for over 800 transactions totaling $178,289 at Sam’s Club and other stores, purchasing food items such as beef, chicken, bread, and drinks. They allegedly sold these items at their restaurant and deli on East Ohio Street in Pittsburgh, misusing a public assistance program meant to aid underserved residents to boost their business profits. https://www.attorneygeneral.gov/taking-action/attorney-general-sundays-organized-retail-crime-unit-charges-2-pittsburgh-business-owners-in-178k-ebt-card-scheme/

The World Economic Forum published its Global Security Outlook 2026 report. https://reports.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2026.pdf

What do you mean it’s a wiretap? A Michigan man pleaded guilty to federal charges for knowingly marketing pcTattletale, a monitoring software he developed in 2002. He promoted it as a tool to spy on romantic partners without their consent. Although initially advertised for legitimate purposes like parental monitoring and employee tracking, he shifted to marketing it as a “catch a cheater” app. He provided instructions for secretly installing it on partners’ phones while they slept and hiding evidence of its use. Federal investigators found substantial evidence that he supported users who explicitly said they were spying on spouses without permission, actively promoting the software with affiliate marketing aimed at people suspicious of cheating partners. https://arstechnica.com/security/2026/01/michigan-man-learns-the-hard-way-that-catch-a-cheater-spyware-apps-arent-legal/

Group-IB has identified a sophisticated phishing campaign since August 2025 that impersonates DocuSign emails and uses LogoKit, a framework that dynamically customizes credential-harvesting pages in real time to match victim organizations. https://www.group-ib.com/blog/docusign-impersonation-logokit/

Infoblox research shows that parked domains are now far more dangerous than before, with over 90% of visits leading to malicious content—a sharp increase from less than 5% a decade ago. The main threat comes from “direct search” or “zero-click parking” features that route users through complex traffic distribution systems (TDS) and ad networks, complicating attribution. The study uncovers three new threat actors who employ advanced techniques like DNS manipulation, double fast flux, and typosquatting on major brands to direct unsuspecting users, especially those making simple typos, toward scams, malware, and data theft. These domain owners actively profile visitors, serving safe parking pages to security scanners while funneling actual users to malicious advertisers. This creates a weaponized ecosystem where legitimate business practices enable cybercrime with little oversight. https://www.infoblox.com/blog/threat-intelligence/parked-domains-become-weapons-with-direct-search-advertising/

Nineteen countries collaborated to arrest 574 individuals, recover approximately USD 3 million, and dismantle criminal infrastructure. https://www.trmlabs.com/resources/blog/international-cybercrime-operation-leads-to-574-arrests-and-usd-3-million-in-recovered-funds-2

https://blog.barracuda.com/2026/01/07/threat-spotlight-phishing-kits-evolved-2025

Cool Tools

What do the attackers know about your website? Or any website. https://web-check.xyz/

Send a self-destructing note. https://burnernote.com/

Cool Job

Senior AML Investigations Trainer, Coinbase. https://www.coinbase.com/careers/positions/6852375

Mail

Matt, I think you're off-base about the impact of AI on the level of fraud. It’s playing a major role and is only going to get worse as the AI models become more reasonable in price and accessible in countries with less access to the higher-capacity computing needed to run them. - DT

I appreciate your level-headed take on fraud trends and your resistance to pushing fraud Panic-Porn on us. I saw one group providing their trends, and it was clear they didn’t even understand the technology they were warning the rest of us to watch out for. Then someone posted a video on LinkedIn about the mentioned trends report, and they had even less understanding. - KDel

Matt: Enjoyed your article on what is new, is old.  Hit the nail on the head.   Another area that should be a focus is the insider threat.   It has been around for years and is old, but those doing it are new, and the tools that they can use are new.  Below is an example. - CG

DFIR

Atola provided a fairly comprehensive list of DFIR conferences to attend in 2026. https://blog.atola.com/top-digital-forensic-conferences/

Irrelevant

Increase your productivity, or at least sanity, using the Napoleon Technique. https://effectiviology.com/napoleon/

Sign off

I was driving through a local city and as I pulled up to an intersection, there was a man on the corner holding a panel of cardboard folded in half. As he opened it, I expected to see “Homeless Vet, Please Help, God Bless” or something similar to the traditional panhandler sign. Instead, it said, “WEED”. It totally threw me off, to the point that I sat halfway through the green light cycle as I processed the proposition. Are you selling or buying? What is it you want me to do???? I was literally knocked sideways by the unexpected ambiguity.

Welcome new subscribers! A small group of people like it here, and I hope you do as well. Thank you for giving it a chance.

Send me email: matt (at) threatswithoutborders.com

“WORRY IS INTEREST PAID ON TROUBLE BEFORE IT COMES DUE.”

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.