[xoa]

Amusingly in a thread on email scams and such you didn't read quite closely enough (plus OP didn't do a great job of differentiating either, maybe on purpose) :). Even ignoring the "sent from your domain = contract" assertion:

>Now on the next day my client received an email from "abicde@mydomain.com" stating that there is a change in invoice and revised invoice is again sent which had bank account details of a UK bank account. > >Now an email like "abicde@mydomain.com" doesn't exist at all.

Notice the "i", different from abcde@mydomain.com. He's saying it wasn't sent from the normal email account. The question I'd have is that OP uses "hacked" but there aren't actually any technical details here at all. Was one or the other mail servers genuinely compromised, or someone phished? Or were these emails simply spoofed? Or what? It sounds like it could have just been a forged From which is utterly trivial, every mildly serious spammer let alone spearphisher has done that forever. If the client "asked for a confirmation email" but the "email never reached" because it was a spoofed From and got blackhole'd but the client then took no response as confirmation that would probably be on the client.

Of course whatever the legal case there are other practical considerations, if this is a very valuable client then a certain amount of bending may be in order. It sounds like a pretty hokey order mechanism all around vs even just a simple HTTPS LE plain text web form and static invoice. And there is still the question of how exactly the phishing (if that's what it was) information was gathered for the spoofed invoice in the first place, insider job? Some other leak or hack?

But at least asking the client to try to get the money back seems fair enough. Money in that amount to a developed world bank should absolute be traceable. Alerting the banks and law enforcement should have been the absolutely immediate first move the instant anything amiss was realized. If it was the client's fault and the money really is gone somehow (or even will just take along while to recover) then at least splitting the different shouldn't be unreasonable.

[Alex3917]

> Notice the "i", different from abcde@mydomain.com

The username on the domain doesn't matter, only the domain itself.

[xoa]

>The username on the domain doesn't matter, only the domain itself.

Of course it matters if it means that it wasn't actually sent from the domain in the first place and there were no "hacks" involved. You said "emails sent from your domain..." but you do know the "From" address in standard email is utterly meaningless from a security perspective right? You can just

  sendmail -f any.address@example.com any.target@example2.com < email.txt

and that's it. There are ways to mitigate that these days and someone can always examine the headers of something suspicious but a lot of older desktop clients and mailservers won't.

Your entire (dubious and uncited) assertion rests on an assumption that it was in fact "sent from their domain". If someone forged it instead then it doesn't even get into law at all, OP simply had nothing to do with it period. Their account wouldn't have been hacked, neither they nor their kit would have any involvement.

[dkersten]

Additionally, it could very well be that one of the letters in the domain name looks like but isn’t one of the normal English ascii characters. I’ve seen scans like this before — they are visually indistinguishable (or extremely close to, eg I’ve seen one that had a tiny dot above the character it was mimicking) from the real thing, but are a completely different Unicode character.

But if you don’t check the email headers, emails are easy to spoof, hell, I did it when I was a kid...

[Alex3917]

> but you do know the "From" address in standard email is utterly meaningless from a security perspective right?

That would be the argument as to why the domain owner would have a duty of care when also using the domain to send legitimate business email. Again I'm not saying there is a duty of care here, I'm just saying that it's not obvious to me that there isn't one.

[uh_what]

This is one of the most hilariously wrong things I've ever heard of. So if I send an invoice to billing@facebook.com and reply from (my account) uh_what@facebook.com agreeing to the terms, Facebook legally owes me the amount on the invoice?

[Alex3917]

Clearly not. It's a general principle of law, not an ATM machine.

E.g. employers are on the hook for damages due to sexual harassment among their employees, but that doesn't mean you can sexually harass yourself and then automatically collect free money.