Ask HN: Lost $10k as my email was hacked. Any ways to recover it?

109 points by milanmot ↗ HN
I have suffered a loss of $10k due to an extremely unbelievable case of my client's as well as my own email domain was hacked.

–----

So, I run a very small pharma export company in India. I have a client in Ontario, Canada with whom I have been doing regular business.

2 weeks ago I got an order worth $10000 from them. So as usual I dispatched the material to them and then raised the invoice with my bank details from my email address called "abcde@mydomain .com".

Now on the next day my client received an email from "abicde@mydomain.com" stating that there is a change in invoice and revised invoice is again sent which had bank account details of a UK bank account.

Now an email like "abicde@mydomain.com" doesn't exist at all.

My client asked me for a confirmation email again but this email never reached me. So the client made the payment and the money is already deducted from his account.

Also, what makes this even more strange is that I received a fake email from my client's company with 3-4 times about not asking for payment as it will be delayed.

I got this email from an email address like "klye@clientdomain.com" instead of "kyle@clientdomain.com".

Now $10000 in an extremely huge amount for survival of my company. I want to know what are my options and is there any way of recovering it.

58 comments

[ 2.8 ms ] story [ 108 ms ] thread
Immediately contact all the banks involved and report the fraud. They should be able to reverse the transaction.
I can confirm this. Something similar happened to an acquaintance, although the amount was even higher. They immediately called the police, and the transaction was reversed. When the thieves tried to withdraw cash, they were able to catch them. This happened in China, although the transaction was international.
Banking standards here in the EU impose a 13 months period during which the sender (order sender) can ask for a full refund. Check your local rules. This has to be talked about with the respective banks involved (that of your client + the one that received payment), as I believe you can't do anything anymore.

Next time, use more than one communication channel (Facebook, phone, signal, telegram, whatsapp... anything, really)

You should also see with your domain registrar and mail provider what happened.

My domain and email provider is GoDaddy. Unfortunately, they said that they cannot do anything about it but still asked me to send IP email headers to their abuse team.
> Banking standards here in the EU impose a 13 months period during which the sender (order sender) can ask for a full refund

Is this really true? Do EU bank transactions really take 13 months to fully clear?

Email headers of the fake email I received are below. Can anyone identify anything out it?

-------

Received: (qmail 30963 invoked by uid 30297); 16 Oct 2018 19:04:18 -0000

Received: from unknown (HELO sg2plibsmtp01-1.prod.sin2.secureserver.net) ([182.50.144.11])

          (envelope-sender <klye@clientdomain.com>)

          by sg2plsmtp19-01-25.prod.sin2.secureserver.net (qmail-1.03) with SMTP

          for <reema@mydomain.net>; 16 Oct 2018 19:04:18 -0000
Received: from se1-lax1.servconfig.com ([104.244.124.86])

               by bizsmtp with ESMTP

               id CUdcgdXtBUMdaCUdegyEaT; Tue, 16 Oct 2018 12:04:18 -0700
Received: from res203.servconfig.com ([192.145.239.44])

               by se1-lax1.servconfig.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)

               (Exim 4.89)

               (envelope-from <klye@clientdomain.com>)

               id 1gCUdY-0005Jd-Kn; Tue, 16 Oct 2018 15:04:16 -0400
Received: from [::1] (port=46403 helo=res203.servconfig.com)

               by res203.servconfig.com with esmtpa (Exim 4.91)

               (envelope-from <klye@clientdomain.com>)

               id 1gCUdY-00GWW5-7H; Tue, 16 Oct 2018 12:04:12 -0700
MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="=_cb44418026f16861773c2073108229cd"

Date: Tue, 16 Oct 2018 12:04:12 -0700

From: Kyle <klye@clientdomain.com>

To: Reema<reema@mydoamin.net>

Cc: 'mail' <mail.globax@dr.com>

Subject: RE: pharma zonisamide

Reply-To: Kyle <Kyle.clientname@dr.com>

Mail-Reply-To: Kyle <Kyle.clientname@dr.com>

Message-ID: <4d778f3b89a049b84840dbdb372798b8@clientname.com>

X-Sender: Klye@clientname.com

User-Agent: Roundcube Webmail/1.3.3

X-Get-Message-Sender-Via: res203.servconfig.com: authenticated_id: shahrukh@makamil.com

X-Authenticated-Sender: res203.servconfig.com: shahrukh@makamil.com

X-Originating-IP: 192.145.239.44

X-SpamExperts-Domain: res203.servconfig.com

X-SpamExperts-Username: 192.145.239.44

Authentication-Results: servconfig.com; auth=pass smtp.auth=192.145.239.44@res203.servconfig.com

X-SpamExperts-Outgoing-Class: unsure

X-SpamExperts-Outgoing-Evidence: Combined (0.35)

X-Recommended-Action: accept

X-Filter-ID: EX5BVjFpneJeBchSMxfU5rwL/g85tQulnBE8gPHu3/F602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx

q3u0UDjvO73ACdMYEFGu+gF5O7WstgsinfpazlJl1tCn592ZdmdEXY8S/zCkg36vZ3GfohIs0UGl

z8CJSOMrvzx9TVg3RkVXN8poxUmHw7z8Cv3zSk4rk5hzVqcRQipB56OduRZxKuP+q8NuOKfRBnSy

EKI1nLnoREI39Ng7w+jWwVgutjGnTGAA1gLIPnzkgagc0cD3QuccXSndMw0FQ8jqfUr8AYYpMlsI

IQUIsICEfKR4uJdogE2eQHlogxUcYs0rxQ+mI9H9Xex/9Lq8f02pgNORt7R9OjAEo9UzDH0ARpN0

wUZt3fvT7ao3SadG2ABiWXtkF0i/CT5LMFdUTCs59oTfl5U/c8+QAw6oOeWTc8nT5GWcPd0rEuGj

FyZoidhtHm+WobglkKcTLdh5JwRD9s9xE+dH789QVPIx9duafGFU3kR9F9u9KyBXj+FNLU1SvJx5

/9jlDHh8k6TTdHl8m1/8O/8FS0gu/BXEFm6f2M41IWv/Qw0zmRSx+YTH48mhNBhct/JFBLt+LA62

e0Pg9eDnrJN9b+G2BSscQzbFMcfSu4J7ix6iCoZ5CaKPMqg2RgTcAelen7CXsT6fZe+0gbPIz96e

qtNrhqU0j58VnbXM/vIJoxTw4G77xMwEh26uoYRpiF4am0X83e22zM8wHY/QU2XjdKVHj6Omz2pU

52OZqldRRmxkB/4b3LJEbiGaRFZKY17WKvlei/52nCwh3EKwhLPN528N6lMd564J8QyHtUdRVUYN

O3udn1JlHoAi4F0jBWcShbww79KoIp0Sgs8f/ZTrGlUY2jbf3Q54l9HRkQvIejKclyAbTmc6f/07

0aI4MKggmD9XUhkU65ggFOIOfY0If3FAzbmaNBxeMIrqE6TxR86t2EiC6GwMws7GvvozwLzzGiRR

EvmQrtvSbV4fnBHAY64qloNFm00WuJU2Ru5B4WNJiz4C8c3Na3gFdtxXZg==

X-Report-Abuse-To: spam@se1-lax1.servconfig.com

X-CMAE-Envelope: MS4wfGTkLN5Q3Etz9Wkc3k/s+48X4HLNxcMTgPNW9dd3KWT52iaJK7tSMbsyZjm0/hi9J87LipDUTpWV2p/qyIS3IuuXa62TTzrOmM1SRoaJXZY91Lfa/lzj

i8Jb2TdRHL58hBIRNSmmPIf9tFZ8lSpapy/8CF5h3TDIczyZlwy+0j+T7U+zeMfEALDdLQAg1NCO7Q==

X-Nonspam: None

Do you recognize this domain?

> authenticated_id: shahrukh@makamil.com

No. This is some unknown email address.
Your client's /Round Cube/ installation may be exploited, as that is where the email originated from:

  User-Agent: Roundcube Webmail/1.3.3
Well you may be able to get their contact details by contacting InMotion Hosting, who runs the web server they sent the mail out of. If you take 'res203.servconfig.com' and stick it in here: https://www.ultratools.com/tools/ipWhoisLookup , you should be able to get their abuse team email. Although this won't get the money back... it will just help you punish the spoofer a bit.
This is very common issue; I've personally helped a company after they lost much more than this, and had to help prove to insurance/govt agencies/etc. Turn on DKIM, DMARC, and SPF records for your mail domain. Also, never send invoices over email that contain any payment terms (eg: accounts, addresses to mail check to, etc) they should always be in some sort of protected portal. Tell every customer never to accept payment term details from you over email, phone, etc. If you or your client has insurance, start documenting every part of your case with screenshots into a file, and document everything you know NOW, including timestamps, etc.

EDIT: Also, I'd suggest taking orders via a secured portal, and also autheticating large orders by calling a number for a client you already have (never trust their website, or an email from them). Unfortunately, you're out of luck that money.

Is there anyway to recover that money?
They need to file a police report, and get in touch with their bank. It's likely the money has already been transferred to a different bank, but the corresponding bank might still be able to freeze the account if it is still sitting there.

Then again, it might be transferred again as well. Money is hard to trace if it moves through different jurisdictions, as every country has different banking and privacy laws. Your client might very well hit a dead end for such a (in the grand scheme of things) small amount of money.

Not sure if a portal is any better. Can't an email point to a fake portal?
Unless I am missing something I dont see a hack here, just some spoofed emails.
It's not just a random spoof email. Someone was aware of the entire conversation and send a spoof email at the exact situation resulting in my loss.
Doesnt mean you were hacked could be an inside job by someone at either organization or could be a hack on the other company's email. If your email provider has any sort of activity log like gmail does you might want to review those, or if you run your own there should be access logs on the server.
Very common and growing type of fraud sad to say
You need to speak to the bank regulators an consider talking the press

In the UK the Daily Telegraph finance team they have been covering this in their weekend issues and have had some success in getting things changed here.

I'm surprised I'm the first person to point this out, but you have not lost any money, your client has.

You sent the goods to the client, and they have yet to remit the payment to you. So they still owe you the money and you should insist they pay it.

Granted, they're not going to like that, but the reality is they sent payment due to you to some other person. That's something they did not something you did.

They may be in a position to take steps to recover the payment they sent to someone else, given the banks involved and so on, and they should try to do it. But that's not something you're really in a position to be involved in, you didn't have anything to do with it and aren't a party to the fraudulent transaction.

In the meantime they should return the goods or send you the payment they owe.

> my client received an email from "abicde@mydomain.com" stating that there is a change in invoice and revised invoice is again sent which had bank account details of a UK bank account.

Emails sent from your domain usually constitute valid contracts. If you're letting other people send emails from your domain because you don't have SPF configured then there's a good chance a court would either rule that you've allowed them to enter into a legally binding contract on your behalf, or else that you were negligent and owe the $10,000 back in damages.

That's why you need to take away the email addresses of people who no longer work for your company, so that they can't enter into contracts on your behalf.

That said no one should ever wire money based on anything they receive via email. So if the sender email had SPF but the recipient just didn't see it flagged because it was in SOFTFAIL mode or whatever, then it's probably the client's fault at that point.

I'm not a lawyer, but is that really true?

I could see the instance of an ex-employee that still can login can enter into contracts on your company's behalf, but a hacker doing so gets the same protections (for lack of a better word)?

That seems very wrong to me. I'm sure it makes things harder to determine the actual issue, but I just don't believe that a judge would look at this and conclude that fraud is ok as long as it comes from your email address...

(ignoring issues like gross negligence where a company is doing significantly less to secure their systems than should be expected)

That’s highly doubtful.

I think it would maybe be arguable if someone actually hacked the OP’s account and the emails really did come from their outbox, but spoofed email is a different thing entirely.

It seems more equivalent as a legal precedent to someone sending a forged letter from a nonexistent employee on similar looking letterhead. Or maybe someone showing up at the door and collecting payment wearing a stolen or counterfeit uniform.

If you think of it in legal terms, in a lawsuit say, the client would have to acknowledge the existence of a contract and an obligation to pay the supplier, and then somehow make an argument that a spoofed email from a third party that the supplier had no awareness of, that never entered the posession or control of the supplier at all, somehow invalidates that contract, or proves that the client has satisfied their obligation.

That’s quite a stretch.

Arguing negligence on the part of the supplier still wouldn’t do anything to satisfy the payment obligation, at best it would seem to be a counter-claim, saying they they suffered a loss because of the suppliers negligence, but then that’s a separate tort and the burden of proof would be on them.

> It seems more equivalent as a legal precedent to someone sending a forged letter from a nonexistent employee on similar looking letterhead.

Well that's the question I guess, if you don't have SPF enabled is it like what you said, or is it more like allowing random people to come into your office at night and send out whatever they want on your actual company letterhead?

I don't know if there is legal precedent there or what a judge would rule, but it doesn't strike me as being completely obvious that this is a simple cut-and-dried case where the client still owes the full amount of the original payment.

> Emails sent from your domain usually constitute valid contracts

Gonna need a source on that one, chief.

> Gonna need a source on that one, chief.

The example I always use is when a college coach tells an athlete they've been accepted to a college before the admissions committee formerly approves them, and they actually get rejected. This happens dozens of times per year, and the reason you never see any lawsuits about it is that the colleges just let them in to avoid the bad publicity.

Hardly seems like the same thing -- the coach is a representative of the organization and communicated something (by whatever means) that they shouldn't have. The organization honored that commitment.

If the athlete turned up waving a _spoofed_ email and they let them in then that would be a more appropriate example.

Amusingly in a thread on email scams and such you didn't read quite closely enough (plus OP didn't do a great job of differentiating either, maybe on purpose) :). Even ignoring the "sent from your domain = contract" assertion:

>Now on the next day my client received an email from "abicde@mydomain.com" stating that there is a change in invoice and revised invoice is again sent which had bank account details of a UK bank account. > >Now an email like "abicde@mydomain.com" doesn't exist at all.

Notice the "i", different from abcde@mydomain.com. He's saying it wasn't sent from the normal email account. The question I'd have is that OP uses "hacked" but there aren't actually any technical details here at all. Was one or the other mail servers genuinely compromised, or someone phished? Or were these emails simply spoofed? Or what? It sounds like it could have just been a forged From which is utterly trivial, every mildly serious spammer let alone spearphisher has done that forever. If the client "asked for a confirmation email" but the "email never reached" because it was a spoofed From and got blackhole'd but the client then took no response as confirmation that would probably be on the client.

Of course whatever the legal case there are other practical considerations, if this is a very valuable client then a certain amount of bending may be in order. It sounds like a pretty hokey order mechanism all around vs even just a simple HTTPS LE plain text web form and static invoice. And there is still the question of how exactly the phishing (if that's what it was) information was gathered for the spoofed invoice in the first place, insider job? Some other leak or hack?

But at least asking the client to try to get the money back seems fair enough. Money in that amount to a developed world bank should absolute be traceable. Alerting the banks and law enforcement should have been the absolutely immediate first move the instant anything amiss was realized. If it was the client's fault and the money really is gone somehow (or even will just take along while to recover) then at least splitting the different shouldn't be unreasonable.

> Notice the "i", different from abcde@mydomain.com

The username on the domain doesn't matter, only the domain itself.

SPFs are not a legal enforcement and a court cannot penalize an entity for not having an SPF.

It is sort of like saying "because you are not sending encrypted emails, you are purposefully and negligently jeopardizing your privacy and information security."

> It is sort of like saying "because you are not sending encrypted emails, you are purposefully and negligently jeopardizing your privacy and information security."

Of course a court can say that. The phrase used to describe email is literally like a postcard. If you sent out HIPAA or FERPA protected information on a postcard, would you really expect not to pay a huge fine or go to prison?

If this single transaction is key to the survival of his business this may be one of few, if not the only client they have. In that case it may make longer term sense to "negotiate" a settlement. That could either be a payment plan or percentage of the 10k obligation.
I strongly disagree with you. The person who sent that money will want to get their money back and you are in the middle. At the very least I would want to stop doing business with someone who communicates bank information in such a careless manner. It's possible these are such tiny companies that they do things like that. In any case, I'd blame the other person whom I thought I was sending money to.
If I'm reading your story correctly, it matches up with a tactic my clients have been seeing more lately. The scammer has already accessed your account because you fell for a phishing scam, typed your email credentials into a fake login site for a fake Office 365 or Dropbox page or something.

Now the scammers are watching your email closely waiting for the opportunity to do this. Waiting for you to send an invoice to your client, so they can jump in and send a revised invoice with their own payment details on it.

This can happen with intrusion into your email box, or your clients'. Hard to say exactly from your story. But either case, someone's mailbox was accessed by the intruder. A similar scam is possible by just using similar domain names, but in such a case you wouldn't know precise details of the invoices. You can just send a random fake invoice and hope the mark pays it or provides payment details in some way.

One thing worth noting in your story is that you aren't out $10,000. Your client is the one who paid the money to the wrong party. They are the ones who need to work with their banks and reverse the payment. It's not your fault that they paid the wrong person.

> The scammer has already accessed your account because you fell for a phishing scam

> It's not your fault that they paid the wrong person.

How is this not the OP's fault? It's absolutely their fault - the fault that lead to their email being compromised

I stated in the next paragraph that the situation could just as easily be reversed. We do not have any way to know in this situation whose mailbox was accessed, the OP, or their client.
Did you edit it in? Either that paragraph was not there when I replied or I'm losing my ability to read
Seems more likely it was the client. If the OP was hacked, the thief could have sent a completely legit email with correct headers and etc.
If OP's mail was hacked, the attacker wouldn't have needed to use a confusingly-similar email address ("abicde@mydomain.com" instead of "abcde@mydomain.com"). They could have used OP's actual address.
Good theory but not necessarily true. The attacker might still wish to use a spoofed domain to ensure that they get delivery of all replies.

In cases where Gmail and Office 365 accounts get hacked like this, the attacker will enable email forwarding to an address they can monitor for replies, and delete replies from the clients so that the compromised person does not see them. I am not sure if you can do this easily with a godaddy mailbox.

Your client got defrauded, arguably through no fault of your own. They never paid you, so they still owe you. Good luck with this approach, though. IANAL

Edit: I see CPLX has said it much better than I in the meantime. Note that it’s not at all clear that the hack happened on your end, rather than your client’s (or perhaps at some intermediate ISP).

Your email did not get hacked most likely. Your client got tricked. They spoofed an email with your domain, but the reply-to email was their own (the attacker). So the client thinks they responded to you, but they responded to the fake address. Also, generally when they do this, they spoof the body and the conversation of the email.

Most likely, your client's emails were compromised in this case. Ask them to forward you the original email received as an attachment, and the reply-email as an attachment.

Your client likely has to reach out to their banking institution. Most companies have safeguards against this on their end when sending money, specifically, when accounts change they get on the phone with someone using their Vendor list, not the communication from the email. Also, having multiple parties authorize a transfer.

Or an employee of his used this information to email the client and steal the money
I wonder if a client has ever set up a scam like this.

They send a fake-looking email to themselves (using existing invoices as a template), then feign ignorance and refuse to pay for goods/services because "we sent the money, not our fault you didn't get it".

Even better that they'd send a few emails saying "we're working on paying you, don't bug us about it" -- payments are harder to collect as time passes for a number of reasons (in my experience).

As others have pointed out, it's the client's fault if they have been duped. Although for sure, they'll try to put the onus on the seller, and will claim the seller has been hacked etc..
Just so you know, the Reply All podcasts takes on (and helps solve) cases just like these.
My two cent: any business should have ALSO a phone number, perhaps not immediately reachable, but still a phone number. Perhaps also a fax number, old but still useful in emergency.
A couple of humble suggestions:

1. Get/Hire someone to do a proper analysis of the "breach". This may require your client's cooperation.

2. Regardless of whose fault that was, try to improve the process to protect yourself and your clients in the future (e.g. email signing, confirmation via a different channel, different way of collecting payments etc.)

Make sure you have set up SPF, DKIM and DMARC. Also use email certificate.