-
That fucking sucks, I'm sorry.
It was either exactly as you say or the website was compromised and the destination for the contact form was changed. Depends if you know they are receiving other contact form emails correctly.
This is very common, unfortunately. Because people know what my job is, I've had two friends of friends come to me when it has happened to them. Horrifically theirs was conveyancing fraud. Same scenario, compromised mailbox somewhere and the bad guys watch for conversations regarding a transaction. They then spoof the legitimate vendor from a random e mail provider (possible because the legitimate vendor has not put email auth protection in place*), and ask for an expected payment to be sent to a dodgy account. In both the cases referred to me, these payments were mortgage deposits. Life changing fraud. It is made all too easy for the bad guys as people like solicitors are fucking clueless when it comes to security. My own solicitor basically emulated this one day when they sent an invoice, then immediately sent another email saying "oh, our bank details have changed, can you send to here instead". I called them up to confirm (which I recommend doing anyway) and the they couldn't understand why I was furious at what they had done. It is exactly this kind of behaviour that give the bad guys an in. It's not hard to pretend to be a total idiot believably.
Now, there was some hubbub a while ago about these types of fraud and who is responsible. A lot of people were able to get their money back from the banks as the determination was "what is the reasonable personal expected to believe?". I.E., if the scam was well implemented and clever, it is not the victim's fault (not that it usually is) if they sent the money to the wrong person. But, that was more to do with Banks being spooked, not independent businesses.
*You might have a case to make to the flooring people to say that if the emails you received spoofed their address/domain exactly, that if they had have implemented DMARC, those emails would have been blocked by your provider (assuming Google, Yahoo etc).
You could/should also report it to your bank and the bank of the account you sent the money to, as well as Action Fraud. There is a slim chance they would take pity and reverse the transaction.
If you have the original emails, I can look at them for you. But I wouldn't be able to do anything other than confirm what has happened and when.
Their email was hacked, and I never actually got an email from their real account once - not since December 18th when I first made contact. I was recommended them by a forumenger, found their (legit, it turns out) website, used the contact form to message them... They must have got that first email, deleted it, and started a conversation with me from a false email account they set up. They spent months relaying plans, messages etc back and forth. Quite clever really. All waiting for the day when an invoice was eventually sent, then they slotted a replica one in with their own bank details on.
The flooring guy doesn't seem to get what happened, really.