
Ask HN: Lost $10k as my email was hacked. Any ways to recover it? - milanmot
I have suffered a loss of $10k due to an extremely unbelievable case of my client&#x27;s as well as my own email domain was hacked.<p>–----<p>So, I run a very small pharma export company in India. I have a client in Ontario, Canada with whom I have been doing regular business.<p>2 weeks ago I got an order worth $10000 from them. So as usual I dispatched the material to them and then raised the invoice with my bank details from my email address called &quot;abcde@mydomain
.com&quot;.<p>Now on the next day my client received an email from &quot;abicde@mydomain.com&quot; stating that there is a change in invoice and revised invoice is again sent which had bank account details of a UK bank account.<p>Now an email like &quot;abicde@mydomain.com&quot; doesn&#x27;t exist at all.<p>My client asked me for a confirmation email again but this email never reached me. So the client made the payment and the money is already deducted from his account.<p>Also, what makes this even more strange is that I received a fake email from my client&#x27;s company with 3-4 times about not asking for payment as it will be delayed.<p>I got this email from an email address like &quot;klye@clientdomain.com&quot; instead of &quot;kyle@clientdomain.com&quot;.<p>Now $10000 in an extremely huge amount for survival of my company. I want to know what are my options and is there any way of recovering it.
======
CPLX
I'm surprised I'm the first person to point this out, but you have not lost
any money, your client has.

You sent the goods to the client, and they have yet to remit the payment to
you. So they still owe you the money and you should insist they pay it.

Granted, they're not going to like that, but the reality is they sent payment
due to you to some other person. That's something _they_ did not something you
did.

They may be in a position to take steps to recover the payment they sent to
someone else, given the banks involved and so on, and they should try to do
it. But that's not something you're really in a position to be involved in,
you didn't have anything to do with it and aren't a party to the fraudulent
transaction.

In the meantime they should return the goods or send you the payment they owe.

~~~
Alex3917
> my client received an email from "abicde@mydomain.com" stating that there is
> a change in invoice and revised invoice is again sent which had bank account
> details of a UK bank account.

Emails sent from your domain usually constitute valid contracts. If you're
letting other people send emails from your domain because you don't have SPF
configured then there's a good chance a court would either rule that you've
allowed them to enter into a legally binding contract on your behalf, or else
that you were negligent and owe the $10,000 back in damages.

That's why you need to take away the email addresses of people who no longer
work for your company, so that they can't enter into contracts on your behalf.

That said no one should ever wire money based on anything they receive via
email. So if the sender email had SPF but the recipient just didn't see it
flagged because it was in SOFTFAIL mode or whatever, then it's probably the
client's fault at that point.

~~~
CPLX
That’s highly doubtful.

I think it would maybe be arguable if someone actually hacked the OP’s account
and the emails really did come from their outbox, but spoofed email is a
different thing entirely.

It seems more equivalent as a legal precedent to someone sending a forged
letter from a nonexistent employee on similar looking letterhead. Or maybe
someone showing up at the door and collecting payment wearing a stolen or
counterfeit uniform.

If you think of it in legal terms, in a lawsuit say, the client would have to
acknowledge the existence of a contract and an obligation to pay the supplier,
and then somehow make an argument that a spoofed email from a third party that
the supplier had no awareness of, that never entered the posession or control
of the supplier at all, somehow invalidates that contract, or proves that the
client has satisfied their obligation.

That’s quite a stretch.

Arguing negligence on the part of the supplier still wouldn’t do anything to
satisfy the payment obligation, at best it would seem to be a counter-claim,
saying they they suffered a loss because of the suppliers negligence, but then
that’s a separate tort and the burden of proof would be on them.

~~~
Alex3917
> It seems more equivalent as a legal precedent to someone sending a forged
> letter from a nonexistent employee on similar looking letterhead.

Well that's the question I guess, if you don't have SPF enabled is it like
what you said, or is it more like allowing random people to come into your
office at night and send out whatever they want on your actual company
letterhead?

I don't know if there is legal precedent there or what a judge would rule, but
it doesn't strike me as being completely obvious that this is a simple cut-
and-dried case where the client still owes the full amount of the original
payment.

~~~
CPLX
It’s not like having someone come into your office at night if it’s a spoofed
email. It’s just someone figuring out what your letterhead looks like.

Either way though the client owes the original payment. That’s not in dispute.
Legal issues don’t work in some holistic “who do you think should have the
money” way, there are specific causes of action.

The first thing a court would ask is does the client owe the money, and is the
obligation satisfied. The first answer is yes the second one is no, the client
never sent the supplier the money. Nobody claims they did. Period.

Then the client would have a cause of action for negligence, due to someone
else spoofing their email. Who wins that one? I don’t know but you’d have to
look for some precedent and claim that the supplier was actually the proximate
cause for some third party defrauding you. Maybe but it’s a pretty tenuous
argument and you’d have to demonstrate clear causality.

------
shyn3
Your email did not get hacked most likely. Your client got tricked. They
spoofed an email with your domain, but the reply-to email was their own (the
attacker). So the client thinks they responded to you, but they responded to
the fake address. Also, generally when they do this, they spoof the body and
the conversation of the email.

Most likely, your client's emails were compromised in this case. Ask them to
forward you the original email received as an attachment, and the reply-email
as an attachment.

Your client likely has to reach out to their banking institution. Most
companies have safeguards against this on their end when sending money,
specifically, when accounts change they get on the phone with someone using
their Vendor list, not the communication from the email. Also, having multiple
parties authorize a transfer.

~~~
gus_massa
I agree. A few (10? 20?) years ago it was very easy to spoof email and send an
email "from" mickey@disney.com if you wish. The original email specification
has almost no security features. Now, most of the email servers will sign the
outgoing email, and if you receive an email with the signature gmail and
others big webmail providers will show a big warning.

So, to understand the problem it is very important to get a copy of all the
complete emails with all the hidden headers that have the automatic signatures
of the servers the email passed through. (See
[https://www.google.com/search?q=email+headers](https://www.google.com/search?q=email+headers)
)

With the emails headers it is posible to see if your server was hacked or if
the sender field was spoofed.

------
czbond
This is very common issue; I've personally helped a company after they lost
much more than this, and had to help prove to insurance/govt agencies/etc.
Turn on DKIM, DMARC, and SPF records for your mail domain. Also, never send
invoices over email that contain any payment terms (eg: accounts, addresses to
mail check to, etc) they should always be in some sort of protected portal.
Tell every customer never to accept payment term details from you over email,
phone, etc. If you or your client has insurance, start documenting every part
of your case with screenshots into a file, and document everything you know
NOW, including timestamps, etc.

EDIT: Also, I'd suggest taking orders via a secured portal, and also
autheticating large orders by calling a number for a client you already have
(never trust their website, or an email from them). Unfortunately, you're out
of luck that money.

~~~
milanmot
Is there anyway to recover that money?

~~~
charlesdm
They need to file a police report, and get in touch with their bank. It's
likely the money has already been transferred to a different bank, but the
corresponding bank might still be able to freeze the account if it is still
sitting there.

Then again, it might be transferred again as well. Money is hard to trace if
it moves through different jurisdictions, as every country has different
banking and privacy laws. Your client might very well hit a dead end for such
a (in the grand scheme of things) small amount of money.

------
ndespres
If I'm reading your story correctly, it matches up with a tactic my clients
have been seeing more lately. The scammer has already accessed your account
because you fell for a phishing scam, typed your email credentials into a fake
login site for a fake Office 365 or Dropbox page or something.

Now the scammers are watching your email closely waiting for the opportunity
to do this. Waiting for you to send an invoice to your client, so they can
jump in and send a revised invoice with their own payment details on it.

This can happen with intrusion into your email box, or your clients'. Hard to
say exactly from your story. But either case, someone's mailbox was accessed
by the intruder. A similar scam is possible by just using similar domain
names, but in such a case you wouldn't know precise details of the invoices.
You can just send a random fake invoice and hope the mark pays it or provides
payment details in some way.

One thing worth noting in your story is that you aren't out $10,000. Your
client is the one who paid the money to the wrong party. They are the ones who
need to work with their banks and reverse the payment. It's not your fault
that they paid the wrong person.

~~~
corobo
> The scammer has already accessed your account because you fell for a
> phishing scam

> It's not your fault that they paid the wrong person.

How is this not the OP's fault? It's absolutely their fault - the fault that
lead to their email being compromised

~~~
ndespres
I stated in the next paragraph that the situation could just as easily be
reversed. We do not have any way to know in this situation whose mailbox was
accessed, the OP, or their client.

~~~
PhasmaFelis
If OP's mail was hacked, the attacker wouldn't have needed to use a
confusingly-similar email address ("abicde@mydomain.com" instead of
"abcde@mydomain.com"). They could have used OP's actual address.

~~~
ndespres
Good theory but not necessarily true. The attacker might still wish to use a
spoofed domain to ensure that they get delivery of all replies.

In cases where Gmail and Office 365 accounts get hacked like this, the
attacker will enable email forwarding to an address they can monitor for
replies, and delete replies from the clients so that the compromised person
does not see them. I am not sure if you can do this easily with a godaddy
mailbox.

------
amorphous
Immediately contact all the banks involved and report the fraud. They should
be able to reverse the transaction.

~~~
captainmuon
I can confirm this. Something similar happened to an acquaintance, although
the amount was even higher. They immediately called the police, and the
transaction was reversed. When the thieves tried to withdraw cash, they were
able to catch them. This happened in China, although the transaction was
international.

------
drfuchs
Your client got defrauded, arguably through no fault of your own. They never
paid you, so they still owe you. Good luck with this approach, though. IANAL

Edit: I see CPLX has said it much better than I in the meantime. Note that
it’s not at all clear that the hack happened on your end, rather than your
client’s (or perhaps at some intermediate ISP).

------
moviuro
Banking standards _here in the EU_ impose a 13 months period during which the
sender (order sender) can ask for a full refund. Check your local rules. This
has to be talked about with the respective banks involved (that of your client
+ the one that received payment), as I believe you can't do anything anymore.

Next time, use more than one communication channel (Facebook, phone, signal,
telegram, whatsapp... anything, really)

You should also see with your domain registrar and mail provider what
happened.

~~~
runako
> Banking standards here in the EU impose a 13 months period during which the
> sender (order sender) can ask for a full refund

Is this really true? Do EU bank transactions really take 13 months to fully
clear?

~~~
moviuro
No, they don't take 13 months to clear. The idea is to protect the payer (the
one losing money) from either their human error, or an unlawful debit.

See [https://www.europeanpaymentscouncil.eu/what-we-do/sepa-
direc...](https://www.europeanpaymentscouncil.eu/what-we-do/sepa-direct-debit)
.

~~~
dkersten
Is that for “direct debit” only or all transactions?

------
maximp
Just so you know, the Reply All podcasts takes on (and helps solve) cases just
like these.

------
xte
My two cent: any business should have ALSO a phone number, perhaps not
immediately reachable, but still a phone number. Perhaps also a fax number,
old but still useful in emergency.

~~~
justtopost
Hear hear.

If I can't reach flesh on a phone during business hours, I do my business with
somebody else. No exceptions. A friend was trusting money and login details to
a site with no mailing address or phone number and I pointed this out. He was
suddenly aghast, another who did the same shrugged, I shuddered. Some people
insist on learning the hard way.

------
nimbius
here in the US, we have the financial fraud kill chain for transfers greater
than 50,000 dollars. Other countries have used it as well. you may wish to
contact the CSIS for methods they use to short-circuit these transactions.

[https://rmacounts.com/uncategorized/financial-fraud-kill-
cha...](https://rmacounts.com/uncategorized/financial-fraud-kill-chain/)

------
forkerenok
A couple of humble suggestions:

1\. Get/Hire someone to do a proper analysis of the "breach". This may require
your client's cooperation.

2\. Regardless of whose fault that was, try to improve the process to protect
yourself and your clients in the future (e.g. email signing, confirmation via
a different channel, different way of collecting payments etc.)

~~~
jiveturkey
have you ever done this? a proper analysis will cost more than the money lost,
and is itself not recoverable.

------
Symbiote
This is fairly common fraud in the UK. See this for background:

[https://www.theguardian.com/money/2018/oct/18/banks-to-
check...](https://www.theguardian.com/money/2018/oct/18/banks-to-check-
account-names-to-beat-transfer)

------
jiveturkey
one important thing you didn't state, was this $10k order typical for them, or
especially outsized. another important thing, you didn't state how any
discussion to date has already gone with the client.

anyway, no matter, you are in india, the client/customer is in canada? the
amount is only $10,000 and you are a "very" small company? you have no
practical recourse.

i'd even give small odds that the client is in fact scamming you.

regardless, good luck but in the face of an uncooperative client, you're out
of luck.

many of the arguments here are around legal correctness, who is at fault, etc.
but they fail to take into account that you are too small and the amount is
too small and across international borders, for you to do anything about it.
now if the amount were $100,000 you'd be able to pursue it.

------
C1sc0cat
You need to speak to the bank regulators an consider talking the press

In the UK the Daily Telegraph finance team they have been covering this in
their weekend issues and have had some success in getting things changed here.

------
huehehue
I wonder if a _client_ has ever set up a scam like this.

They send a fake-looking email to themselves (using existing invoices as a
template), then feign ignorance and refuse to pay for goods/services because
"we sent the money, not our fault you didn't get it".

Even better that they'd send a few emails saying "we're working on paying you,
don't bug us about it" \-- payments are harder to collect as time passes for a
number of reasons (in my experience).

~~~
captainmuon
As others have pointed out, it's the client's fault if they have been duped.
Although for sure, they'll try to put the onus on the seller, and will claim
the seller has been hacked etc..

------
milanmot
Email headers of the fake email I received are below. Can anyone identify
anything out it?

\-------

Received: (qmail 30963 invoked by uid 30297); 16 Oct 2018 19:04:18 -0000

Received: from unknown (HELO sg2plibsmtp01-1.prod.sin2.secureserver.net)
([182.50.144.11])

    
    
              (envelope-sender <klye@clientdomain.com>)
    
              by sg2plsmtp19-01-25.prod.sin2.secureserver.net (qmail-1.03) with SMTP
    
              for <reema@mydomain.net>; 16 Oct 2018 19:04:18 -0000
    

Received: from se1-lax1.servconfig.com ([104.244.124.86])

    
    
                   by bizsmtp with ESMTP
    
                   id CUdcgdXtBUMdaCUdegyEaT; Tue, 16 Oct 2018 12:04:18 -0700
    

Received: from res203.servconfig.com ([192.145.239.44])

    
    
                   by se1-lax1.servconfig.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
    
                   (Exim 4.89)
    
                   (envelope-from <klye@clientdomain.com>)
    
                   id 1gCUdY-0005Jd-Kn; Tue, 16 Oct 2018 15:04:16 -0400
    

Received: from [::1] (port=46403 helo=res203.servconfig.com)

    
    
                   by res203.servconfig.com with esmtpa (Exim 4.91)
    
                   (envelope-from <klye@clientdomain.com>)
    
                   id 1gCUdY-00GWW5-7H; Tue, 16 Oct 2018 12:04:12 -0700
    

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="=_cb44418026f16861773c2073108229cd"

Date: Tue, 16 Oct 2018 12:04:12 -0700

From: Kyle <klye@clientdomain.com>

To: Reema<reema@mydoamin.net>

Cc: 'mail' <mail.globax@dr.com>

Subject: RE: pharma zonisamide

Reply-To: Kyle <Kyle.clientname@dr.com>

Mail-Reply-To: Kyle <Kyle.clientname@dr.com>

Message-ID: <4d778f3b89a049b84840dbdb372798b8@clientname.com>

X-Sender: Klye@clientname.com

User-Agent: Roundcube Webmail/1.3.3

X-Get-Message-Sender-Via: res203.servconfig.com: authenticated_id:
shahrukh@makamil.com

X-Authenticated-Sender: res203.servconfig.com: shahrukh@makamil.com

X-Originating-IP: 192.145.239.44

X-SpamExperts-Domain: res203.servconfig.com

X-SpamExperts-Username: 192.145.239.44

Authentication-Results: servconfig.com; auth=pass
smtp.auth=192.145.239.44@res203.servconfig.com

X-SpamExperts-Outgoing-Class: unsure

X-SpamExperts-Outgoing-Evidence: Combined (0.35)

X-Recommended-Action: accept

X-Filter-ID:
EX5BVjFpneJeBchSMxfU5rwL/g85tQulnBE8gPHu3/F602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx

q3u0UDjvO73ACdMYEFGu+gF5O7WstgsinfpazlJl1tCn592ZdmdEXY8S/zCkg36vZ3GfohIs0UGl

z8CJSOMrvzx9TVg3RkVXN8poxUmHw7z8Cv3zSk4rk5hzVqcRQipB56OduRZxKuP+q8NuOKfRBnSy

EKI1nLnoREI39Ng7w+jWwVgutjGnTGAA1gLIPnzkgagc0cD3QuccXSndMw0FQ8jqfUr8AYYpMlsI

IQUIsICEfKR4uJdogE2eQHlogxUcYs0rxQ+mI9H9Xex/9Lq8f02pgNORt7R9OjAEo9UzDH0ARpN0

wUZt3fvT7ao3SadG2ABiWXtkF0i/CT5LMFdUTCs59oTfl5U/c8+QAw6oOeWTc8nT5GWcPd0rEuGj

FyZoidhtHm+WobglkKcTLdh5JwRD9s9xE+dH789QVPIx9duafGFU3kR9F9u9KyBXj+FNLU1SvJx5

/9jlDHh8k6TTdHl8m1/8O/8FS0gu/BXEFm6f2M41IWv/Qw0zmRSx+YTH48mhNBhct/JFBLt+LA62

e0Pg9eDnrJN9b+G2BSscQzbFMcfSu4J7ix6iCoZ5CaKPMqg2RgTcAelen7CXsT6fZe+0gbPIz96e

qtNrhqU0j58VnbXM/vIJoxTw4G77xMwEh26uoYRpiF4am0X83e22zM8wHY/QU2XjdKVHj6Omz2pU

52OZqldRRmxkB/4b3LJEbiGaRFZKY17WKvlei/52nCwh3EKwhLPN528N6lMd564J8QyHtUdRVUYN

O3udn1JlHoAi4F0jBWcShbww79KoIp0Sgs8f/ZTrGlUY2jbf3Q54l9HRkQvIejKclyAbTmc6f/07

0aI4MKggmD9XUhkU65ggFOIOfY0If3FAzbmaNBxeMIrqE6TxR86t2EiC6GwMws7GvvozwLzzGiRR

EvmQrtvSbV4fnBHAY64qloNFm00WuJU2Ru5B4WNJiz4C8c3Na3gFdtxXZg==

X-Report-Abuse-To: spam@se1-lax1.servconfig.com

X-CMAE-Envelope:
MS4wfGTkLN5Q3Etz9Wkc3k/s+48X4HLNxcMTgPNW9dd3KWT52iaJK7tSMbsyZjm0/hi9J87LipDUTpWV2p/qyIS3IuuXa62TTzrOmM1SRoaJXZY91Lfa/lzj

i8Jb2TdRHL58hBIRNSmmPIf9tFZ8lSpapy/8CF5h3TDIczyZlwy+0j+T7U+zeMfEALDdLQAg1NCO7Q==

X-Nonspam: None

~~~
rnotaro
Do you recognize this domain?

> authenticated_id: shahrukh@makamil.com

~~~
milanmot
No. This is some unknown email address.

~~~
shripadk
[https://b2bpk.com/company/ma-kamil-
pharma-57113.html](https://b2bpk.com/company/ma-kamil-pharma-57113.html)

Weird that the domain points to another Pharma company operating from Karachi,
Pakistan. Maybe contacting them to find out who "Shahrukh" is might be a good
first step.

EDIT: Looks like 0898 found more details
[https://news.ycombinator.com/item?id=18310807](https://news.ycombinator.com/item?id=18310807)

------
matt_the_bass
Maybe this is a dumb question, but have you talked to your customer about
this? Such issues are covered by insurance plans that are common for US
companies. It may be as simple as your customer makes a police report and then
provide it to their insurance. Then 60 days later they get a check and pay
you.

------
rnotaro
Your case is really similar to this attack (`How a fraudster got $12 million
out of a Canadian university: They just asked for it`):
[https://news.ycombinator.com/item?id=18186433](https://news.ycombinator.com/item?id=18186433)

------
hawkilt
you or your client using Google’s Gsuite as email service provider?

cause the same thing happened to one of client in Chennai, India.

but they client didnt tranfer the funds since he found that the bank account
the fake guy sent was new to them. so the client called orginal company back
and reported it.

------
gagabity
Unless I am missing something I dont see a hack here, just some spoofed
emails.

~~~
milanmot
It's not just a random spoof email. Someone was aware of the entire
conversation and send a spoof email at the exact situation resulting in my
loss.

~~~
gagabity
Doesnt mean you were hacked could be an inside job by someone at either
organization or could be a hack on the other company's email. If your email
provider has any sort of activity log like gmail does you might want to review
those, or if you run your own there should be access logs on the server.

------
masonic
For a similar recent case, see

[https://news.ycombinator.com/item?id=18318226](https://news.ycombinator.com/item?id=18318226)

------
darkhorn
Make sure you have set up SPF, DKIM and DMARC. Also use email certificate.

------
divitics
An interesting case, I have never heard of this type of fraud

------
21stio
Maybe your business partner is trying to scam you.

------
rasz
You didnt lose 10K, your client did.

