I have suffered a loss of $10k due to an extremely unbelievable case of my client's as well as my own email domain was hacked.<p>–----<p>So, I run a very small pharma export company in India. I have a client in Ontario, Canada with whom I have been doing regular business.<p>2 weeks ago I got an order worth $10000 from them. So as usual I dispatched the material to them and then raised the invoice with my bank details from my email address called "abcde@mydomain
.com".<p>Now on the next day my client received an email from "abicde@mydomain.com" stating that there is a change in invoice and revised invoice is again sent which had bank account details of a UK bank account.<p>Now an email like "abicde@mydomain.com" doesn't exist at all.<p>My client asked me for a confirmation email again but this email never reached me. So the client made the payment and the money is already deducted from his account.<p>Also, what makes this even more strange is that I received a fake email from my client's company with 3-4 times about not asking for payment as it will be delayed.<p>I got this email from an email address like "klye@clientdomain.com" instead of "kyle@clientdomain.com".<p>Now $10000 in an extremely huge amount for survival of my company. I want to know what are my options and is there any way of recovering it.
I'm surprised I'm the first person to point this out, but you have not lost any money, your client has.<p>You sent the goods to the client, and they have yet to remit the payment to you. So they still owe you the money and you should insist they pay it.<p>Granted, they're not going to like that, but the reality is they sent payment due to you to some other person. That's something <i>they</i> did not something you did.<p>They may be in a position to take steps to recover the payment they sent to someone else, given the banks involved and so on, and they should try to do it. But that's not something you're really in a position to be involved in, you didn't have anything to do with it and aren't a party to the fraudulent transaction.<p>In the meantime they should return the goods or send you the payment they owe.
Your email did not get hacked most likely. Your client got tricked. They spoofed an email with your domain, but the reply-to email was their own (the attacker). So the client thinks they responded to you, but they responded to the fake address. Also, generally when they do this, they spoof the body and the conversation of the email.<p>Most likely, your client's emails were compromised in this case. Ask them to forward you the original email received as an attachment, and the reply-email as an attachment.<p>Your client likely has to reach out to their banking institution. Most companies have safeguards against this on their end when sending money, specifically, when accounts change they get on the phone with someone using their Vendor list, not the communication from the email. Also, having multiple parties authorize a transfer.
This is very common issue; I've personally helped a company after they lost much more than this, and had to help prove to insurance/govt agencies/etc. Turn on DKIM, DMARC, and SPF records for your mail domain. Also, never send invoices over email that contain any payment terms (eg: accounts, addresses to mail check to, etc) they should always be in some sort of protected portal. Tell every customer never to accept payment term details from you over email, phone, etc. If you or your client has insurance, start documenting every part of your case with screenshots into a file, and document everything you know NOW, including timestamps, etc.<p>EDIT: Also, I'd suggest taking orders via a secured portal, and also autheticating large orders by calling a number for a client you already have (never trust their website, or an email from them). Unfortunately, you're out of luck that money.
If I'm reading your story correctly, it matches up with a tactic my clients have been seeing more lately. The scammer has already accessed your account because you fell for a phishing scam, typed your email credentials into a fake login site for a fake Office 365 or Dropbox page or something.<p>Now the scammers are watching your email closely waiting for the opportunity to do this. Waiting for you to send an invoice to your client, so they can jump in and send a revised invoice with their own payment details on it.<p>This can happen with intrusion into your email box, or your clients'. Hard to say exactly from your story. But either case, someone's mailbox was accessed by the intruder. A similar scam is possible by just using similar domain names, but in such a case you wouldn't know precise details of the invoices. You can just send a random fake invoice and hope the mark pays it or provides payment details in some way.<p>One thing worth noting in your story is that you aren't out $10,000. Your client is the one who paid the money to the wrong party. They are the ones who need to work with their banks and reverse the payment. It's not your fault that they paid the wrong person.
Your client got defrauded, arguably through no fault of your own. They never paid you, so they still owe you. Good luck with this approach, though. IANAL<p>Edit: I see CPLX has said it much better than I in the meantime. Note that it’s not at all clear that the hack happened on your end, rather than your client’s (or perhaps at some intermediate ISP).
Banking standards <i>here in the EU</i> impose a 13 months period during which the sender (order sender) can ask for a full refund. Check your local rules. This has to be talked about with the respective banks involved (that of your client + the one that received payment), as I believe you can't do anything anymore.<p>Next time, use more than one communication channel (Facebook, phone, signal, telegram, whatsapp... anything, really)<p>You should also see with your domain registrar and mail provider what happened.
My two cent: any business should have ALSO a phone number, perhaps not immediately reachable, but still a phone number.
Perhaps also a fax number, old but still useful in emergency.
here in the US, we have the financial fraud kill chain for transfers greater than 50,000 dollars. Other countries have used it as well. you may wish to contact the CSIS for methods they use to short-circuit these transactions.<p><a href="https://rmacounts.com/uncategorized/financial-fraud-kill-chain/" rel="nofollow">https://rmacounts.com/uncategorized/financial-fraud-kill-cha...</a>
A couple of humble suggestions:<p>1. Get/Hire someone to do a proper analysis of the "breach". This may require your client's cooperation.<p>2. Regardless of whose fault that was, try to improve the process to protect yourself and your clients in the future (e.g. email signing, confirmation via a different channel, different way of collecting payments etc.)
This is fairly common fraud in the UK. See this for background:<p><a href="https://www.theguardian.com/money/2018/oct/18/banks-to-check-account-names-to-beat-transfer" rel="nofollow">https://www.theguardian.com/money/2018/oct/18/banks-to-check...</a>
one important thing you didn't state, was this $10k order typical for them, or especially outsized. another important thing, you didn't state how any discussion to date has already gone with the client.<p>anyway, no matter, you are in india, the client/customer is in canada? the amount is only $10,000 and you are a "very" small company? you have no practical recourse.<p>i'd even give small odds that the client is in fact scamming you.<p>regardless, good luck but in the face of an uncooperative client, you're out of luck.<p>many of the arguments here are around legal correctness, who is at fault, etc. but they fail to take into account that you are too small and the amount is too small and across international borders, for you to do anything about it. now if the amount were $100,000 you'd be able to pursue it.
You need to speak to the bank regulators an consider talking the press<p>In the UK the Daily Telegraph finance team they have been covering this in their weekend issues and have had some success in getting things changed here.
I wonder if a <i>client</i> has ever set up a scam like this.<p>They send a fake-looking email to themselves (using existing invoices as a template), then feign ignorance and refuse to pay for goods/services because "we sent the money, not our fault you didn't get it".<p>Even better that they'd send a few emails saying "we're working on paying you, don't bug us about it" -- payments are harder to collect as time passes for a number of reasons (in my experience).
Maybe this is a dumb question, but have you talked to your customer about this? Such issues are covered by insurance plans that are common for US companies. It may be as simple as your customer makes a police report and then provide it to their insurance. Then 60 days later they get a check and pay you.
Your case is really similar to this attack (`How a fraudster got $12 million out of a Canadian university: They just asked for it`): <a href="https://news.ycombinator.com/item?id=18186433" rel="nofollow">https://news.ycombinator.com/item?id=18186433</a>
you or your client using Google’s Gsuite as email service provider?<p>cause the same thing happened to one of client in Chennai, India.<p>but they client didnt tranfer the funds since he found that the bank account the fake guy sent was new to them. so the client called orginal company back and reported it.
For a similar recent case, see<p><a href="https://news.ycombinator.com/item?id=18318226" rel="nofollow">https://news.ycombinator.com/item?id=18318226</a>