[Alex3917]

> my client received an email from "abicde@mydomain.com" stating that there is a change in invoice and revised invoice is again sent which had bank account details of a UK bank account.

Emails sent from your domain usually constitute valid contracts. If you're letting other people send emails from your domain because you don't have SPF configured then there's a good chance a court would either rule that you've allowed them to enter into a legally binding contract on your behalf, or else that you were negligent and owe the $10,000 back in damages.

That's why you need to take away the email addresses of people who no longer work for your company, so that they can't enter into contracts on your behalf.

That said no one should ever wire money based on anything they receive via email. So if the sender email had SPF but the recipient just didn't see it flagged because it was in SOFTFAIL mode or whatever, then it's probably the client's fault at that point.

[CPLX]

That’s highly doubtful.

I think it would maybe be arguable if someone actually hacked the OP’s account and the emails really did come from their outbox, but spoofed email is a different thing entirely.

It seems more equivalent as a legal precedent to someone sending a forged letter from a nonexistent employee on similar looking letterhead. Or maybe someone showing up at the door and collecting payment wearing a stolen or counterfeit uniform.

If you think of it in legal terms, in a lawsuit say, the client would have to acknowledge the existence of a contract and an obligation to pay the supplier, and then somehow make an argument that a spoofed email from a third party that the supplier had no awareness of, that never entered the posession or control of the supplier at all, somehow invalidates that contract, or proves that the client has satisfied their obligation.

That’s quite a stretch.

Arguing negligence on the part of the supplier still wouldn’t do anything to satisfy the payment obligation, at best it would seem to be a counter-claim, saying they they suffered a loss because of the suppliers negligence, but then that’s a separate tort and the burden of proof would be on them.

[Alex3917]

> It seems more equivalent as a legal precedent to someone sending a forged letter from a nonexistent employee on similar looking letterhead.

Well that's the question I guess, if you don't have SPF enabled is it like what you said, or is it more like allowing random people to come into your office at night and send out whatever they want on your actual company letterhead?

I don't know if there is legal precedent there or what a judge would rule, but it doesn't strike me as being completely obvious that this is a simple cut-and-dried case where the client still owes the full amount of the original payment.

[CPLX]

It’s not like having someone come into your office at night if it’s a spoofed email. It’s just someone figuring out what your letterhead looks like.

Either way though the client owes the original payment. That’s not in dispute. Legal issues don’t work in some holistic “who do you think should have the money” way, there are specific causes of action.

The first thing a court would ask is does the client owe the money, and is the obligation satisfied. The first answer is yes the second one is no, the client never sent the supplier the money. Nobody claims they did. Period.

Then the client would have a cause of action for negligence, due to someone else spoofing their email. Who wins that one? I don’t know but you’d have to look for some precedent and claim that the supplier was actually the proximate cause for some third party defrauding you. Maybe but it’s a pretty tenuous argument and you’d have to demonstrate clear causality.

[Klathmon]

I'm not a lawyer, but is that really true?

I could see the instance of an ex-employee that still can login can enter into contracts on your company's behalf, but a hacker doing so gets the same protections (for lack of a better word)?

That seems very wrong to me. I'm sure it makes things harder to determine the actual issue, but I just don't believe that a judge would look at this and conclude that fraud is ok as long as it comes from your email address...

(ignoring issues like gross negligence where a company is doing significantly less to secure their systems than should be expected)

[philipodonnell]

> Emails sent from your domain usually constitute valid contracts

Gonna need a source on that one, chief.

[Alex3917]

> Gonna need a source on that one, chief.

The example I always use is when a college coach tells an athlete they've been accepted to a college before the admissions committee formerly approves them, and they actually get rejected. This happens dozens of times per year, and the reason you never see any lawsuits about it is that the colleges just let them in to avoid the bad publicity.

[aquark]

Hardly seems like the same thing -- the coach is a representative of the organization and communicated something (by whatever means) that they shouldn't have. The organization honored that commitment.

If the athlete turned up waving a _spoofed_ email and they let them in then that would be a more appropriate example.

[Alex3917]

> If the athlete turned up waving a _spoofed_ email and they let them in then that would be a more appropriate example.

Fair, I was just making the point about the validity of email agreements in general.

But let's say Harvard let others send email that appeared to come from their domain (by not having SPF enabled) and some kid withdrew all their other college applications because one of their friends was playing a prank on them or whatever, almost certainly the college would either let them in or else settle and pay damages. No way in hell they would want that going to trial even if they thought they could win.

[level3]

I think you’re greatly mistaken in your assumptions. Harvard would suffer much greater damage to their reputation if they honored a fake acceptance email. To my knowledge, no university has ever honored a fake (physical) acceptance letter either, and those have existed (as pranks or otherwise) for a while.

It’s highly unlikely that such a case would even get to trial without being dismissed. For example, see this Quora thread [1] about the case of the university itself sending out the actual acceptance letter. Columbia University also had an incident where a system error accidentally sent out acceptance emails, which they quickly retracted, and no lawsuit or settlement came out of that.

I think it would be incredibly difficult to prove damages in such a case, especially since a fake acceptance letter doesn’t prevent you from going to another college. Your example of the student withdrawing their other applications is also unlikely to be blamed on Harvard, particularly before the student has officially accepted (at which point Harvard would notice they didn’t accept the student).

[1] https://www.quora.com/Can-a-university-be-sued-if-it-first-s...

[odonnellryan]

The point here really is the company who sent the money out is the only company that can try to get that money back. If they have no reason to (OP doesn't follow up) then what's the point? They have no motivation to follow through with their bank or government..

[odonnellryan]

If I send you a letter from your house address, are you going to send me a check to whatever address I want if I say I'm your Mum?

Email domain spoofing is super easy.

[nashashmi]

SPFs are not a legal enforcement and a court cannot penalize an entity for not having an SPF.

It is sort of like saying "because you are not sending encrypted emails, you are purposefully and negligently jeopardizing your privacy and information security."

[Alex3917]

> It is sort of like saying "because you are not sending encrypted emails, you are purposefully and negligently jeopardizing your privacy and information security."

Of course a court can say that. The phrase used to describe email is literally like a postcard. If you sent out HIPAA or FERPA protected information on a postcard, would you really expect not to pay a huge fine or go to prison?

[xoa]

Amusingly in a thread on email scams and such you didn't read quite closely enough (plus OP didn't do a great job of differentiating either, maybe on purpose) :). Even ignoring the "sent from your domain = contract" assertion:

>Now on the next day my client received an email from "abicde@mydomain.com" stating that there is a change in invoice and revised invoice is again sent which had bank account details of a UK bank account. > >Now an email like "abicde@mydomain.com" doesn't exist at all.

Notice the "i", different from abcde@mydomain.com. He's saying it wasn't sent from the normal email account. The question I'd have is that OP uses "hacked" but there aren't actually any technical details here at all. Was one or the other mail servers genuinely compromised, or someone phished? Or were these emails simply spoofed? Or what? It sounds like it could have just been a forged From which is utterly trivial, every mildly serious spammer let alone spearphisher has done that forever. If the client "asked for a confirmation email" but the "email never reached" because it was a spoofed From and got blackhole'd but the client then took no response as confirmation that would probably be on the client.

Of course whatever the legal case there are other practical considerations, if this is a very valuable client then a certain amount of bending may be in order. It sounds like a pretty hokey order mechanism all around vs even just a simple HTTPS LE plain text web form and static invoice. And there is still the question of how exactly the phishing (if that's what it was) information was gathered for the spoofed invoice in the first place, insider job? Some other leak or hack?

But at least asking the client to try to get the money back seems fair enough. Money in that amount to a developed world bank should absolute be traceable. Alerting the banks and law enforcement should have been the absolutely immediate first move the instant anything amiss was realized. If it was the client's fault and the money really is gone somehow (or even will just take along while to recover) then at least splitting the different shouldn't be unreasonable.

[Alex3917]

> Notice the "i", different from abcde@mydomain.com

The username on the domain doesn't matter, only the domain itself.

[xoa]

>The username on the domain doesn't matter, only the domain itself.

Of course it matters if it means that it wasn't actually sent from the domain in the first place and there were no "hacks" involved. You said "emails sent from your domain..." but you do know the "From" address in standard email is utterly meaningless from a security perspective right? You can just

  sendmail -f any.address@example.com any.target@example2.com < email.txt

and that's it. There are ways to mitigate that these days and someone can always examine the headers of something suspicious but a lot of older desktop clients and mailservers won't.

Your entire (dubious and uncited) assertion rests on an assumption that it was in fact "sent from their domain". If someone forged it instead then it doesn't even get into law at all, OP simply had nothing to do with it period. Their account wouldn't have been hacked, neither they nor their kit would have any involvement.

[dkersten]

Additionally, it could very well be that one of the letters in the domain name looks like but isn’t one of the normal English ascii characters. I’ve seen scans like this before — they are visually indistinguishable (or extremely close to, eg I’ve seen one that had a tiny dot above the character it was mimicking) from the real thing, but are a completely different Unicode character.

But if you don’t check the email headers, emails are easy to spoof, hell, I did it when I was a kid...

[Alex3917]

> but you do know the "From" address in standard email is utterly meaningless from a security perspective right?

That would be the argument as to why the domain owner would have a duty of care when also using the domain to send legitimate business email. Again I'm not saying there is a duty of care here, I'm just saying that it's not obvious to me that there isn't one.

[uh_what]

This is one of the most hilariously wrong things I've ever heard of. So if I send an invoice to billing@facebook.com and reply from (my account) uh_what@facebook.com agreeing to the terms, Facebook legally owes me the amount on the invoice?

[Alex3917]

Clearly not. It's a general principle of law, not an ATM machine.

E.g. employers are on the hook for damages due to sexual harassment among their employees, but that doesn't mean you can sexually harass yourself and then automatically collect free money.