[ndespres]

If I'm reading your story correctly, it matches up with a tactic my clients have been seeing more lately. The scammer has already accessed your account because you fell for a phishing scam, typed your email credentials into a fake login site for a fake Office 365 or Dropbox page or something.

Now the scammers are watching your email closely waiting for the opportunity to do this. Waiting for you to send an invoice to your client, so they can jump in and send a revised invoice with their own payment details on it.

This can happen with intrusion into your email box, or your clients'. Hard to say exactly from your story. But either case, someone's mailbox was accessed by the intruder. A similar scam is possible by just using similar domain names, but in such a case you wouldn't know precise details of the invoices. You can just send a random fake invoice and hope the mark pays it or provides payment details in some way.

One thing worth noting in your story is that you aren't out $10,000. Your client is the one who paid the money to the wrong party. They are the ones who need to work with their banks and reverse the payment. It's not your fault that they paid the wrong person.

[corobo]

> The scammer has already accessed your account because you fell for a phishing scam

> It's not your fault that they paid the wrong person.

How is this not the OP's fault? It's absolutely their fault - the fault that lead to their email being compromised

[ndespres]

I stated in the next paragraph that the situation could just as easily be reversed. We do not have any way to know in this situation whose mailbox was accessed, the OP, or their client.

[joezydeco]

Seems more likely it was the client. If the OP was hacked, the thief could have sent a completely legit email with correct headers and etc.

[PhasmaFelis]

If OP's mail was hacked, the attacker wouldn't have needed to use a confusingly-similar email address ("abicde@mydomain.com" instead of "abcde@mydomain.com"). They could have used OP's actual address.

[ndespres]

Good theory but not necessarily true. The attacker might still wish to use a spoofed domain to ensure that they get delivery of all replies.

In cases where Gmail and Office 365 accounts get hacked like this, the attacker will enable email forwarding to an address they can monitor for replies, and delete replies from the clients so that the compromised person does not see them. I am not sure if you can do this easily with a godaddy mailbox.

[corobo]

Did you edit it in? Either that paragraph was not there when I replied or I'm losing my ability to read

[dkersten]

You don’t know t was the OP’s email that was compromised. It could have been the clients or something else entirely.

[corobo]

Fair point that. I'd not considered all the possibilities