Ask HN: Lost $10k as my email was hacked. Any ways to recover it?

109 点作者 milanmot超过 6 年前

I have suffered a loss of $10k due to an extremely unbelievable case of my client's as well as my own email domain was hacked.–----So, I run a very small pharma export company in India. I have a client in Ontario, Canada with whom I have been doing regular business.2 weeks ago I got an order worth $10000 from them. So as usual I dispatched the material to them and then raised the invoice with my bank details from my email address called "abcde@mydomain .com".Now on the next day my client received an email from "abicde@mydomain.com" stating that there is a change in invoice and revised invoice is again sent which had bank account details of a UK bank account.Now an email like "abicde@mydomain.com" doesn't exist at all.My client asked me for a confirmation email again but this email never reached me. So the client made the payment and the money is already deducted from his account.Also, what makes this even more strange is that I received a fake email from my client's company with 3-4 times about not asking for payment as it will be delayed.I got this email from an email address like "klye@clientdomain.com" instead of "kyle@clientdomain.com".Now $10000 in an extremely huge amount for survival of my company. I want to know what are my options and is there any way of recovering it.

25 条评论

CPLX超过 6 年前

I'm surprised I'm the first person to point this out, but you have not lost any money, your client has.You sent the goods to the client, and they have yet to remit the payment to you. So they still owe you the money and you should insist they pay it.Granted, they're not going to like that, but the reality is they sent payment due to you to some other person. That's something they did not something you did.They may be in a position to take steps to recover the payment they sent to someone else, given the banks involved and so on, and they should try to do it. But that's not something you're really in a position to be involved in, you didn't have anything to do with it and aren't a party to the fraudulent transaction.In the meantime they should return the goods or send you the payment they owe.

评论 #18310838 未加载

评论 #18310728 未加载

评论 #18311016 未加载

评论 #18310836 未加载

shyn3超过 6 年前

Your email did not get hacked most likely. Your client got tricked. They spoofed an email with your domain, but the reply-to email was their own (the attacker). So the client thinks they responded to you, but they responded to the fake address. Also, generally when they do this, they spoof the body and the conversation of the email.Most likely, your client's emails were compromised in this case. Ask them to forward you the original email received as an attachment, and the reply-email as an attachment.Your client likely has to reach out to their banking institution. Most companies have safeguards against this on their end when sending money, specifically, when accounts change they get on the phone with someone using their Vendor list, not the communication from the email. Also, having multiple parties authorize a transfer.

评论 #18311896 未加载

评论 #18310746 未加载

czbond超过 6 年前

This is very common issue; I've personally helped a company after they lost much more than this, and had to help prove to insurance/govt agencies/etc. Turn on DKIM, DMARC, and SPF records for your mail domain. Also, never send invoices over email that contain any payment terms (eg: accounts, addresses to mail check to, etc) they should always be in some sort of protected portal. Tell every customer never to accept payment term details from you over email, phone, etc. If you or your client has insurance, start documenting every part of your case with screenshots into a file, and document everything you know NOW, including timestamps, etc.EDIT: Also, I'd suggest taking orders via a secured portal, and also autheticating large orders by calling a number for a client you already have (never trust their website, or an email from them). Unfortunately, you're out of luck that money.

评论 #18310503 未加载

评论 #18311004 未加载

ndespres超过 6 年前

If I'm reading your story correctly, it matches up with a tactic my clients have been seeing more lately. The scammer has already accessed your account because you fell for a phishing scam, typed your email credentials into a fake login site for a fake Office 365 or Dropbox page or something.Now the scammers are watching your email closely waiting for the opportunity to do this. Waiting for you to send an invoice to your client, so they can jump in and send a revised invoice with their own payment details on it.This can happen with intrusion into your email box, or your clients'. Hard to say exactly from your story. But either case, someone's mailbox was accessed by the intruder. A similar scam is possible by just using similar domain names, but in such a case you wouldn't know precise details of the invoices. You can just send a random fake invoice and hope the mark pays it or provides payment details in some way.One thing worth noting in your story is that you aren't out $10,000. Your client is the one who paid the money to the wrong party. They are the ones who need to work with their banks and reverse the payment. It's not your fault that they paid the wrong person.

评论 #18310644 未加载

amorphous超过 6 年前

Immediately contact all the banks involved and report the fraud. They should be able to reverse the transaction.

评论 #18310830 未加载

drfuchs超过 6 年前

Your client got defrauded, arguably through no fault of your own. They never paid you, so they still owe you. Good luck with this approach, though. IANALEdit: I see CPLX has said it much better than I in the meantime. Note that it’s not at all clear that the hack happened on your end, rather than your client’s (or perhaps at some intermediate ISP).

moviuro超过 6 年前

Banking standards here in the EU impose a 13 months period during which the sender (order sender) can ask for a full refund. Check your local rules. This has to be talked about with the respective banks involved (that of your client + the one that received payment), as I believe you can't do anything anymore.Next time, use more than one communication channel (Facebook, phone, signal, telegram, whatsapp... anything, really)You should also see with your domain registrar and mail provider what happened.

评论 #18310298 未加载

评论 #18310990 未加载

maximp超过 6 年前

Just so you know, the Reply All podcasts takes on (and helps solve) cases just like these.

xte超过 6 年前

My two cent: any business should have ALSO a phone number, perhaps not immediately reachable, but still a phone number. Perhaps also a fax number, old but still useful in emergency.

评论 #18315581 未加载

nimbius超过 6 年前

here in the US, we have the financial fraud kill chain for transfers greater than 50,000 dollars. Other countries have used it as well. you may wish to contact the CSIS for methods they use to short-circuit these transactions.<a href="https://rmacounts.com/uncategorized/financial-fraud-kill-chain/" rel="nofollow">https://rmacounts.com/uncategorized/financial-fraud-kill-cha...</a>

forkerenok超过 6 年前

A couple of humble suggestions:1. Get/Hire someone to do a proper analysis of the "breach". This may require your client's cooperation.2. Regardless of whose fault that was, try to improve the process to protect yourself and your clients in the future (e.g. email signing, confirmation via a different channel, different way of collecting payments etc.)

评论 #18343433 未加载

Symbiote超过 6 年前

This is fairly common fraud in the UK. See this for background:<a href="https://www.theguardian.com/money/2018/oct/18/banks-to-check-account-names-to-beat-transfer" rel="nofollow">https://www.theguardian.com/money/2018/oct/18/banks-to-check...</a>

jiveturkey超过 6 年前

one important thing you didn't state, was this $10k order typical for them, or especially outsized. another important thing, you didn't state how any discussion to date has already gone with the client.anyway, no matter, you are in india, the client/customer is in canada? the amount is only $10,000 and you are a "very" small company? you have no practical recourse.i'd even give small odds that the client is in fact scamming you.regardless, good luck but in the face of an uncooperative client, you're out of luck.many of the arguments here are around legal correctness, who is at fault, etc. but they fail to take into account that you are too small and the amount is too small and across international borders, for you to do anything about it. now if the amount were $100,000 you'd be able to pursue it.

C1sc0cat超过 6 年前

You need to speak to the bank regulators an consider talking the pressIn the UK the Daily Telegraph finance team they have been covering this in their weekend issues and have had some success in getting things changed here.

huehehue超过 6 年前

I wonder if a client has ever set up a scam like this.They send a fake-looking email to themselves (using existing invoices as a template), then feign ignorance and refuse to pay for goods/services because "we sent the money, not our fault you didn't get it".Even better that they'd send a few emails saying "we're working on paying you, don't bug us about it" -- payments are harder to collect as time passes for a number of reasons (in my experience).

评论 #18310850 未加载

milanmot超过 6 年前

Email headers of the fake email I received are below. Can anyone identify anything out it?-------Received: (qmail 30963 invoked by uid 30297); 16 Oct 2018 19:04:18 -0000Received: from unknown (HELO sg2plibsmtp01-1.prod.sin2.secureserver.net) ([182.50.144.11])<pre><code> (envelope-sender <klye@clientdomain.com>) by sg2plsmtp19-01-25.prod.sin2.secureserver.net (qmail-1.03) with SMTP for <reema@mydomain.net>; 16 Oct 2018 19:04:18 -0000 </code></pre> Received: from se1-lax1.servconfig.com ([104.244.124.86])<pre><code> by bizsmtp with ESMTP id CUdcgdXtBUMdaCUdegyEaT; Tue, 16 Oct 2018 12:04:18 -0700 </code></pre> Received: from res203.servconfig.com ([192.145.239.44])<pre><code> by se1-lax1.servconfig.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from <klye@clientdomain.com>) id 1gCUdY-0005Jd-Kn; Tue, 16 Oct 2018 15:04:16 -0400 </code></pre> Received: from [::1] (port=46403 helo=res203.servconfig.com)<pre><code> by res203.servconfig.com with esmtpa (Exim 4.91) (envelope-from <klye@clientdomain.com>) id 1gCUdY-00GWW5-7H; Tue, 16 Oct 2018 12:04:12 -0700 </code></pre> MIME-Version: 1.0Content-Type: multipart/alternative;boundary="=_cb44418026f16861773c2073108229cd"Date: Tue, 16 Oct 2018 12:04:12 -0700From: Kyle <klye@clientdomain.com>To: Reema<reema@mydoamin.net>Cc: 'mail' <mail.globax@dr.com>Subject: RE: pharma zonisamideReply-To: Kyle <Kyle.clientname@dr.com>Mail-Reply-To: Kyle <Kyle.clientname@dr.com>Message-ID: <4d778f3b89a049b84840dbdb372798b8@clientname.com>X-Sender: Klye@clientname.comUser-Agent: Roundcube Webmail/1.3.3X-Get-Message-Sender-Via: res203.servconfig.com: authenticated_id: shahrukh@makamil.comX-Authenticated-Sender: res203.servconfig.com: shahrukh@makamil.comX-Originating-IP: 192.145.239.44X-SpamExperts-Domain: res203.servconfig.comX-SpamExperts-Username: 192.145.239.44Authentication-Results: servconfig.com; auth=pass smtp.auth=192.145.239.44@res203.servconfig.comX-SpamExperts-Outgoing-Class: unsureX-SpamExperts-Outgoing-Evidence: Combined (0.35)X-Recommended-Action: acceptX-Filter-ID: EX5BVjFpneJeBchSMxfU5rwL/g85tQulnBE8gPHu3/F602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOxq3u0UDjvO73ACdMYEFGu+gF5O7WstgsinfpazlJl1tCn592ZdmdEXY8S/zCkg36vZ3GfohIs0UGlz8CJSOMrvzx9TVg3RkVXN8poxUmHw7z8Cv3zSk4rk5hzVqcRQipB56OduRZxKuP+q8NuOKfRBnSyEKI1nLnoREI39Ng7w+jWwVgutjGnTGAA1gLIPnzkgagc0cD3QuccXSndMw0FQ8jqfUr8AYYpMlsIIQUIsICEfKR4uJdogE2eQHlogxUcYs0rxQ+mI9H9Xex/9Lq8f02pgNORt7R9OjAEo9UzDH0ARpN0wUZt3fvT7ao3SadG2ABiWXtkF0i/CT5LMFdUTCs59oTfl5U/c8+QAw6oOeWTc8nT5GWcPd0rEuGjFyZoidhtHm+WobglkKcTLdh5JwRD9s9xE+dH789QVPIx9duafGFU3kR9F9u9KyBXj+FNLU1SvJx5/9jlDHh8k6TTdHl8m1/8O/8FS0gu/BXEFm6f2M41IWv/Qw0zmRSx+YTH48mhNBhct/JFBLt+LA62e0Pg9eDnrJN9b+G2BSscQzbFMcfSu4J7ix6iCoZ5CaKPMqg2RgTcAelen7CXsT6fZe+0gbPIz96eqtNrhqU0j58VnbXM/vIJoxTw4G77xMwEh26uoYRpiF4am0X83e22zM8wHY/QU2XjdKVHj6Omz2pU52OZqldRRmxkB/4b3LJEbiGaRFZKY17WKvlei/52nCwh3EKwhLPN528N6lMd564J8QyHtUdRVUYNO3udn1JlHoAi4F0jBWcShbww79KoIp0Sgs8f/ZTrGlUY2jbf3Q54l9HRkQvIejKclyAbTmc6f/070aI4MKggmD9XUhkU65ggFOIOfY0If3FAzbmaNBxeMIrqE6TxR86t2EiC6GwMws7GvvozwLzzGiRREvmQrtvSbV4fnBHAY64qloNFm00WuJU2Ru5B4WNJiz4C8c3Na3gFdtxXZg==X-Report-Abuse-To: spam@se1-lax1.servconfig.comX-CMAE-Envelope: MS4wfGTkLN5Q3Etz9Wkc3k/s+48X4HLNxcMTgPNW9dd3KWT52iaJK7tSMbsyZjm0/hi9J87LipDUTpWV2p/qyIS3IuuXa62TTzrOmM1SRoaJXZY91Lfa/lzji8Jb2TdRHL58hBIRNSmmPIf9tFZ8lSpapy/8CF5h3TDIczyZlwy+0j+T7U+zeMfEALDdLQAg1NCO7Q==X-Nonspam: None

评论 #18310753 未加载

评论 #18310631 未加载

评论 #18310576 未加载

评论 #18310868 未加载

matt_the_bass超过 6 年前

Maybe this is a dumb question, but have you talked to your customer about this? Such issues are covered by insurance plans that are common for US companies. It may be as simple as your customer makes a police report and then provide it to their insurance. Then 60 days later they get a check and pay you.

rnotaro超过 6 年前

Your case is really similar to this attack (`How a fraudster got $12 million out of a Canadian university: They just asked for it`): <a href="https://news.ycombinator.com/item?id=18186433" rel="nofollow">https://news.ycombinator.com/item?id=18186433</a>

hawkilt超过 6 年前

you or your client using Google’s Gsuite as email service provider?cause the same thing happened to one of client in Chennai, India.but they client didnt tranfer the funds since he found that the bank account the fake guy sent was new to them. so the client called orginal company back and reported it.

gagabity超过 6 年前

Unless I am missing something I dont see a hack here, just some spoofed emails.

评论 #18310493 未加载

评论 #18310513 未加载

masonic超过 6 年前

For a similar recent case, see<a href="https://news.ycombinator.com/item?id=18318226" rel="nofollow">https://news.ycombinator.com/item?id=18318226</a>

darkhorn超过 6 年前

Make sure you have set up SPF, DKIM and DMARC. Also use email certificate.

divitics超过 6 年前

An interesting case, I have never heard of this type of fraud

21stio超过 6 年前

Maybe your business partner is trying to scam you.

rasz超过 6 年前

You didnt lose 10K, your client did.