Hi all! I'm a small business owner dealing with what appears to be a business email compromise incident, and I'm trying to understand where the breach may have occurred. A fraudster registered a lookalike domain that closely resembled our real company domain and used it to send a request to change ACH/payment information. Unfortunately, the client believed it was legitimate and a payment was redirected. What worries me is that the attacker didn't just send a generic phishing email. They replied within an existing email thread and included genuine previous messages from the conversation. They even copied one of my employees signature, and put our logo into the bank info file. Their bank is located in NY, everything is happening inside the US. So far I've checked: No suspicious email forwarders in our hosting control panel. No obvious signs of unauthorized cPanel access. The fraudulent email came from the lookalike domain, not our real domain.…