–----
So, I run a very small pharma export company in India. I have a client in Ontario, Canada with whom I have been doing regular business.
2 weeks ago I got an order worth $10000 from them. So as usual I dispatched the material to them and then raised the invoice with my bank details from my email address called "abcde@mydomain .com".
Now on the next day my client received an email from "abicde@mydomain.com" stating that there is a change in invoice and revised invoice is again sent which had bank account details of a UK bank account.
Now an email like "abicde@mydomain.com" doesn't exist at all.
My client asked me for a confirmation email again but this email never reached me. So the client made the payment and the money is already deducted from his account.
Also, what makes this even more strange is that I received a fake email from my client's company with 3-4 times about not asking for payment as it will be delayed.
I got this email from an email address like "klye@clientdomain.com" instead of "kyle@clientdomain.com".
Now $10000 in an extremely huge amount for survival of my company. I want to know what are my options and is there any way of recovering it.
You sent the goods to the client, and they have yet to remit the payment to you. So they still owe you the money and you should insist they pay it.
Granted, they're not going to like that, but the reality is they sent payment due to you to some other person. That's something they did not something you did.
They may be in a position to take steps to recover the payment they sent to someone else, given the banks involved and so on, and they should try to do it. But that's not something you're really in a position to be involved in, you didn't have anything to do with it and aren't a party to the fraudulent transaction.
In the meantime they should return the goods or send you the payment they owe.
see last paragraph: https://themortgagereports.com/39665/cash-to-close-what-is-i...
Emails sent from your domain usually constitute valid contracts. If you're letting other people send emails from your domain because you don't have SPF configured then there's a good chance a court would either rule that you've allowed them to enter into a legally binding contract on your behalf, or else that you were negligent and owe the $10,000 back in damages.
That's why you need to take away the email addresses of people who no longer work for your company, so that they can't enter into contracts on your behalf.
That said no one should ever wire money based on anything they receive via email. So if the sender email had SPF but the recipient just didn't see it flagged because it was in SOFTFAIL mode or whatever, then it's probably the client's fault at that point.
I think it would maybe be arguable if someone actually hacked the OP’s account and the emails really did come from their outbox, but spoofed email is a different thing entirely.
It seems more equivalent as a legal precedent to someone sending a forged letter from a nonexistent employee on similar looking letterhead. Or maybe someone showing up at the door and collecting payment wearing a stolen or counterfeit uniform.
If you think of it in legal terms, in a lawsuit say, the client would have to acknowledge the existence of a contract and an obligation to pay the supplier, and then somehow make an argument that a spoofed email from a third party that the supplier had no awareness of, that never entered the posession or control of the supplier at all, somehow invalidates that contract, or proves that the client has satisfied their obligation.
That’s quite a stretch.
Arguing negligence on the part of the supplier still wouldn’t do anything to satisfy the payment obligation, at best it would seem to be a counter-claim, saying they they suffered a loss because of the suppliers negligence, but then that’s a separate tort and the burden of proof would be on them.
I could see the instance of an ex-employee that still can login can enter into contracts on your company's behalf, but a hacker doing so gets the same protections (for lack of a better word)?
That seems very wrong to me. I'm sure it makes things harder to determine the actual issue, but I just don't believe that a judge would look at this and conclude that fraud is ok as long as it comes from your email address...
(ignoring issues like gross negligence where a company is doing significantly less to secure their systems than should be expected)
Gonna need a source on that one, chief.
It is sort of like saying "because you are not sending encrypted emails, you are purposefully and negligently jeopardizing your privacy and information security."
>Now on the next day my client received an email from "abicde@mydomain.com" stating that there is a change in invoice and revised invoice is again sent which had bank account details of a UK bank account. > >Now an email like "abicde@mydomain.com" doesn't exist at all.
Notice the "i", different from abcde@mydomain.com. He's saying it wasn't sent from the normal email account. The question I'd have is that OP uses "hacked" but there aren't actually any technical details here at all. Was one or the other mail servers genuinely compromised, or someone phished? Or were these emails simply spoofed? Or what? It sounds like it could have just been a forged From which is utterly trivial, every mildly serious spammer let alone spearphisher has done that forever. If the client "asked for a confirmation email" but the "email never reached" because it was a spoofed From and got blackhole'd but the client then took no response as confirmation that would probably be on the client.
Of course whatever the legal case there are other practical considerations, if this is a very valuable client then a certain amount of bending may be in order. It sounds like a pretty hokey order mechanism all around vs even just a simple HTTPS LE plain text web form and static invoice. And there is still the question of how exactly the phishing (if that's what it was) information was gathered for the spoofed invoice in the first place, insider job? Some other leak or hack?
But at least asking the client to try to get the money back seems fair enough. Money in that amount to a developed world bank should absolute be traceable. Alerting the banks and law enforcement should have been the absolutely immediate first move the instant anything amiss was realized. If it was the client's fault and the money really is gone somehow (or even will just take along while to recover) then at least splitting the different shouldn't be unreasonable.
Most likely, your client's emails were compromised in this case. Ask them to forward you the original email received as an attachment, and the reply-email as an attachment.
Your client likely has to reach out to their banking institution. Most companies have safeguards against this on their end when sending money, specifically, when accounts change they get on the phone with someone using their Vendor list, not the communication from the email. Also, having multiple parties authorize a transfer.
So, to understand the problem it is very important to get a copy of all the complete emails with all the hidden headers that have the automatic signatures of the servers the email passed through. (See https://www.google.com/search?q=email+headers )
With the emails headers it is posible to see if your server was hacked or if the sender field was spoofed.
EDIT: Also, I'd suggest taking orders via a secured portal, and also autheticating large orders by calling a number for a client you already have (never trust their website, or an email from them). Unfortunately, you're out of luck that money.
Then again, it might be transferred again as well. Money is hard to trace if it moves through different jurisdictions, as every country has different banking and privacy laws. Your client might very well hit a dead end for such a (in the grand scheme of things) small amount of money.
Now the scammers are watching your email closely waiting for the opportunity to do this. Waiting for you to send an invoice to your client, so they can jump in and send a revised invoice with their own payment details on it.
This can happen with intrusion into your email box, or your clients'. Hard to say exactly from your story. But either case, someone's mailbox was accessed by the intruder. A similar scam is possible by just using similar domain names, but in such a case you wouldn't know precise details of the invoices. You can just send a random fake invoice and hope the mark pays it or provides payment details in some way.
One thing worth noting in your story is that you aren't out $10,000. Your client is the one who paid the money to the wrong party. They are the ones who need to work with their banks and reverse the payment. It's not your fault that they paid the wrong person.
> It's not your fault that they paid the wrong person.
How is this not the OP's fault? It's absolutely their fault - the fault that lead to their email being compromised
Edit: I see CPLX has said it much better than I in the meantime. Note that it’s not at all clear that the hack happened on your end, rather than your client’s (or perhaps at some intermediate ISP).
Next time, use more than one communication channel (Facebook, phone, signal, telegram, whatsapp... anything, really)
You should also see with your domain registrar and mail provider what happened.
Is this really true? Do EU bank transactions really take 13 months to fully clear?
See https://www.europeanpaymentscouncil.eu/what-we-do/sepa-direc... .
If I can't reach flesh on a phone during business hours, I do my business with somebody else. No exceptions. A friend was trusting money and login details to a site with no mailing address or phone number and I pointed this out. He was suddenly aghast, another who did the same shrugged, I shuddered. Some people insist on learning the hard way.
https://rmacounts.com/uncategorized/financial-fraud-kill-cha...
1. Get/Hire someone to do a proper analysis of the "breach". This may require your client's cooperation.
2. Regardless of whose fault that was, try to improve the process to protect yourself and your clients in the future (e.g. email signing, confirmation via a different channel, different way of collecting payments etc.)
https://www.theguardian.com/money/2018/oct/18/banks-to-check...
anyway, no matter, you are in india, the client/customer is in canada? the amount is only $10,000 and you are a "very" small company? you have no practical recourse.
i'd even give small odds that the client is in fact scamming you.
regardless, good luck but in the face of an uncooperative client, you're out of luck.
many of the arguments here are around legal correctness, who is at fault, etc. but they fail to take into account that you are too small and the amount is too small and across international borders, for you to do anything about it. now if the amount were $100,000 you'd be able to pursue it.
In the UK the Daily Telegraph finance team they have been covering this in their weekend issues and have had some success in getting things changed here.
They send a fake-looking email to themselves (using existing invoices as a template), then feign ignorance and refuse to pay for goods/services because "we sent the money, not our fault you didn't get it".
Even better that they'd send a few emails saying "we're working on paying you, don't bug us about it" -- payments are harder to collect as time passes for a number of reasons (in my experience).
-------
Received: (qmail 30963 invoked by uid 30297); 16 Oct 2018 19:04:18 -0000
Received: from unknown (HELO sg2plibsmtp01-1.prod.sin2.secureserver.net) ([182.50.144.11])
(envelope-sender <klye@clientdomain.com>)
by sg2plsmtp19-01-25.prod.sin2.secureserver.net (qmail-1.03) with SMTP
for <reema@mydomain.net>; 16 Oct 2018 19:04:18 -0000
by bizsmtp with ESMTP
id CUdcgdXtBUMdaCUdegyEaT; Tue, 16 Oct 2018 12:04:18 -0700
by se1-lax1.servconfig.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.89)
(envelope-from <klye@clientdomain.com>)
id 1gCUdY-0005Jd-Kn; Tue, 16 Oct 2018 15:04:16 -0400
by res203.servconfig.com with esmtpa (Exim 4.91)
(envelope-from <klye@clientdomain.com>)
id 1gCUdY-00GWW5-7H; Tue, 16 Oct 2018 12:04:12 -0700
Content-Type: multipart/alternative;
boundary="=_cb44418026f16861773c2073108229cd"
Date: Tue, 16 Oct 2018 12:04:12 -0700
From: Kyle <klye@clientdomain.com>
To: Reema<reema@mydoamin.net>
Cc: 'mail' <mail.globax@dr.com>
Subject: RE: pharma zonisamide
Reply-To: Kyle <Kyle.clientname@dr.com>
Mail-Reply-To: Kyle <Kyle.clientname@dr.com>
Message-ID: <4d778f3b89a049b84840dbdb372798b8@clientname.com>
X-Sender: Klye@clientname.com
User-Agent: Roundcube Webmail/1.3.3
X-Get-Message-Sender-Via: res203.servconfig.com: authenticated_id: shahrukh@makamil.com
X-Authenticated-Sender: res203.servconfig.com: shahrukh@makamil.com
X-Originating-IP: 192.145.239.44
X-SpamExperts-Domain: res203.servconfig.com
X-SpamExperts-Username: 192.145.239.44
Authentication-Results: servconfig.com; auth=pass smtp.auth=192.145.239.44@res203.servconfig.com
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.35)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5rwL/g85tQulnBE8gPHu3/F602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx
q3u0UDjvO73ACdMYEFGu+gF5O7WstgsinfpazlJl1tCn592ZdmdEXY8S/zCkg36vZ3GfohIs0UGl
z8CJSOMrvzx9TVg3RkVXN8poxUmHw7z8Cv3zSk4rk5hzVqcRQipB56OduRZxKuP+q8NuOKfRBnSy
EKI1nLnoREI39Ng7w+jWwVgutjGnTGAA1gLIPnzkgagc0cD3QuccXSndMw0FQ8jqfUr8AYYpMlsI
IQUIsICEfKR4uJdogE2eQHlogxUcYs0rxQ+mI9H9Xex/9Lq8f02pgNORt7R9OjAEo9UzDH0ARpN0
wUZt3fvT7ao3SadG2ABiWXtkF0i/CT5LMFdUTCs59oTfl5U/c8+QAw6oOeWTc8nT5GWcPd0rEuGj
FyZoidhtHm+WobglkKcTLdh5JwRD9s9xE+dH789QVPIx9duafGFU3kR9F9u9KyBXj+FNLU1SvJx5
/9jlDHh8k6TTdHl8m1/8O/8FS0gu/BXEFm6f2M41IWv/Qw0zmRSx+YTH48mhNBhct/JFBLt+LA62
e0Pg9eDnrJN9b+G2BSscQzbFMcfSu4J7ix6iCoZ5CaKPMqg2RgTcAelen7CXsT6fZe+0gbPIz96e
qtNrhqU0j58VnbXM/vIJoxTw4G77xMwEh26uoYRpiF4am0X83e22zM8wHY/QU2XjdKVHj6Omz2pU
52OZqldRRmxkB/4b3LJEbiGaRFZKY17WKvlei/52nCwh3EKwhLPN528N6lMd564J8QyHtUdRVUYN
O3udn1JlHoAi4F0jBWcShbww79KoIp0Sgs8f/ZTrGlUY2jbf3Q54l9HRkQvIejKclyAbTmc6f/07
0aI4MKggmD9XUhkU65ggFOIOfY0If3FAzbmaNBxeMIrqE6TxR86t2EiC6GwMws7GvvozwLzzGiRR
EvmQrtvSbV4fnBHAY64qloNFm00WuJU2Ru5B4WNJiz4C8c3Na3gFdtxXZg==
X-Report-Abuse-To: spam@se1-lax1.servconfig.com
X-CMAE-Envelope: MS4wfGTkLN5Q3Etz9Wkc3k/s+48X4HLNxcMTgPNW9dd3KWT52iaJK7tSMbsyZjm0/hi9J87LipDUTpWV2p/qyIS3IuuXa62TTzrOmM1SRoaJXZY91Lfa/lzj
i8Jb2TdRHL58hBIRNSmmPIf9tFZ8lSpapy/8CF5h3TDIczyZlwy+0j+T7U+zeMfEALDdLQAg1NCO7Q==
X-Nonspam: None
User-Agent: Roundcube Webmail/1.3.3> authenticated_id: shahrukh@makamil.com
cause the same thing happened to one of client in Chennai, India.
but they client didnt tranfer the funds since he found that the bank account the fake guy sent was new to them. so the client called orginal company back and reported it.