The email was as you write is at the ISP. Let's say the sender or receiver's account name and password was no longer secure by whatever you want to guess how that happened.
I could read the emails that are at the ISP before the receiver, then delete it before they read this email. And I could make a new email.
If these folk are using Outlook or even the ISP web email, it would all seem like a mystery.
This is not an offer of free forensics. This is a story that isn't that uncommon and most of the time is just the old story of some folk that used their PCs on some free wifi spot. That's the most common hack I know of today.
Firstly guys, I've just signed up so thanks for having me. Sorry to start by asking for help.
I work as I.T. support for a small business. I received a call from them today in relation to an attempted email fraud possibly using “spoofing”. Below I outline the scenario and my questions. Please appreciate the use of my simplified language is only to break things down so as there nothing lost in the communication.
Scenario:
Two separate businesses called A & B are in email communications in relation to a business transaction. B calls A in relation to an email from them informing them that A had changed bank account details to a new account given in the email. Being suspicious B wanted to confirm this information as the email came from them (or so it appears).
Alarmed at this news A asked B to fax them a copy of the communication so they could look into this further. They made all the relevant authorities aware such as police, action fraud, bank etc before calling me to check their computers & network. Company A log into their email using Microsoft 365 online portal and emails are not downloaded on to their computers, they are kept on ISP’s servers.
I have this company change their email password every few months and I carry out all the relevant precautions regularly such as virus/malware scanning, wireless network password change and ensuring all machines are updated as best as possible. All computers in the office are behind a router and AV software and whilst I appreciate this doesn’t mean it’s Fort Knox safe it is reasonable and I much doubt their systems have been compromised given the novice approach used by the would be hacker.
Upon receipt of the faxed copy of the email company A notices that the email does indeed appear to come from them yet they didn’t send it. They also notice on the fax the email in question was a reply to an earlier email from B dated the 5th August which company A never received but company B did send. The email dated the 5th contained an attachment which confirmed the completion of a business transaction between A & B with B making note that all remaining monies had been paid to A’s bank account number ********. This email was responded to by the would be hacker asking company B to make note of company A’s new account details.
So in my view there are two possible scenarios.
1. A’s email account security was compromised (company I offer I.T. support to)
2. B’s email account was compromised
So…
1. For either of the two above scenarios to happen someone would need access to the password of either account. Is this correct?
2. Assuming someone had access to B’s email account. How could they intercept an email from B to A before reaching A? How could they then send an email back to B from A’s account? This scenario makes less sense to me unless I am missing something.
3. Assuming the would be hacker had access to company A’s computer. This would explain the email intercept from B and the sending of an email from their account. But how could this be possible given that the email password is regularly changed and even I don’t know it and assuming all staff members are trustworthy? They have all worked in the same company for 10+ years each. Why this one email wherein the business dealings had concluded and not another deal from A’s computers that hadn’t concluded?
4. There are 4 days between the genuine email dated the 5th august from B to A and the fraudulent response. If company A’s email was compromised how could the genuine email from B that A claimed they never received be kept on the server for 4 days without the staff being aware of this? I get that an email could be sent from their account and deleted but how could one be received and unnoticed?
I would appreciate any feedback on my enquiry that may shed light on this scenario.
Best Regards

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic