How to Tell if Your Business Email is Compromised (And What to Do Next)
Is your business email compromised? If you are reading this, your heart might be racing. You just noticed a strange reply in your Sent folder, a client called about updated wire instructions you never sent, or your inbox is acting incredibly unusual.
Take a deep breath. Catching the issue early is the most critical step.
Business Email Compromise (BEC) is a silent attack. Unlike ransomware, hackers do not lock you out of your system immediately. Instead, they sneak into your account, hide in the background, and quietly watch your communications until the perfect moment to strike usually when a large invoice is due.
In this guide, we will show you exactly where hackers hide in your inbox, how to identify the signs of a compromised business email, and the exact steps you need to take right now to kick them out.
6 Silent Signs Your Business Email is Compromised
Hackers want to remain undetected for as long as possible. To figure out if your Office 365 or Google Workspace email is hacked, check for these six silent symptoms.
1. The “Hidden” Inbox Rules
The very first thing hackers do after gaining access is set up forwarding or deletion rules to hide their tracks. They want to intercept specific conversations without you ever seeing the notifications. Check your email settings for rules that auto-forward messages containing words like “invoice,” “wire,” “bank,” or “payment” to an external, unrecognized email address. Also, look for rules that instantly move incoming messages to your RSS Feeds, Archive, or Deleted Items folders.
2. The “Impossible Travel” Login Alerts
If you have administrative access to your Google Workspace or Microsoft 365 environment, check the user login activity logs. You are looking for “impossible travel” alerts. For example, if there is a successful login from your IP address in Chicago at 9:00 AM and another successful login from a server in Tokyo at 9:15 AM, your account has been breached.
3. Ghost Emails in the Sent Folder
Hackers will often reply to ongoing vendor or client conversations directly from your account. Check your Sent folder for emails you never typed. Usually, these ghost emails will be brief, requesting a change in bank routing numbers, delaying a meeting, or attaching an “updated” PDF invoice that actually contains malware.
4. Spontaneous Password Lockouts
If an employee is suddenly locked out of their account multiple times a week despite entering the correct password, it is rarely just an IT glitch. This is often the result of a brute-force attack, where automated hacking software repeatedly guesses passwords until it triggers your system’s safety lockout mechanism.
5. Vendor or Client Confusion
This is the most common real-world trigger that alerts businesses to an attack. A vendor calls asking, “Did you mean to send this to a new bank?” or a client reaches out wondering why you are suddenly demanding immediate, aggressive payment. If your external partners are confused by your recent emails, investigate immediately.
6. MFA Prompt Fatigue
Are you receiving Multi-Factor Authentication (MFA) text messages or app push notifications in the middle of the night when you are not actively trying to log in? Hackers have your password and are trying to trigger an accidental approval. This is known as MFA fatigue, and it means your credentials are in the hands of a threat actor.
Normal vs. Compromised Behavior
It can be hard to tell the difference between a standard technical glitch and a malicious attack. Use this quick reference chart to evaluate your situation.
|
What You Experience |
Likely IT Glitch |
Probable Compromise |
|
Missing emails |
Spam filter is too aggressive |
Inbox rules are hiding specific threads |
|
Login issues |
Password expired or typing error |
“Impossible travel” flagged by the system |
|
Slow performance |
Local network or browser issue |
Not applicable (Hackers do not slow down the inbox) |
|
Weird replies |
Accidental “Reply-all” |
Vendor confirming new bank details |
What to Do IMMEDIATELY (Damage Control)
If you have confirmed any of the signs above, you must act right now. Execute these steps in this exact order to prevent the hacker from doing more damage while you try to fix the breach.
Step 1: Sever the Connection
Do not just change the password yet. Go to your admin console (Microsoft 365 or Google Workspace) and initiate a “Revoke all active sessions” command. This forcefully kicks the hacker out of their current live session across all devices.
Step 2: Lock the Doors
Now that the hacker is disconnected, change the compromised password to a long, complex passphrase. If Multi-Factor Authentication (MFA) was not already enabled on the account, turn it on immediately.
Step 3: Stop the Bleeding
Manually check the mailbox settings for rogue forwarding rules and delete them. If you skip this crucial step, the hacker will still receive copies of your incoming emails even though they can no longer log in.
Step 4: Audit the Damage
Review the Sent folder and the Deleted Items folder. Did the attacker send out fake invoices? Did they download a list of employee W-2s or sensitive client data? Document exactly what was exposed.
Step 5: Notify the Network
Call the vendors, clients, or employees who may have received fraudulent wire instructions while the account was hijacked. Do not email them use the phone to guarantee they receive the warning before they authorize a payment.
How to Stop This From Happening Again
Once the immediate fire is put out, you need to harden your environment so attackers cannot return.
- Enforce strict MFA: Require Multi-Factor Authentication for every single account, with absolutely no exceptions for executives or contractors.
- Disable auto-forwarding: Turn off the ability for users to auto-forward company emails to external domains at the administrative level.
- Deploy Security Awareness Training: Teach your staff to verify any sudden changes to banking information or invoices via a verified phone call, never just by replying to an email.
- Invest in routine audits: Have your Microsoft 365 or Google Workspace environments regularly reviewed for misconfigurations.
Need Expert Help Right Now?
A compromised business email is not an embarrassment; it is a harsh reality of doing business in the modern digital landscape. What matters is how fast you react and neutralize the threat.
If you are not sure if the hacker is truly gone, or if you need professional help determining exactly what data was exposed during the breach, Cyberspac3 is here. We provide rapid incident response, BEC containment, and comprehensive security audits to lock down your business for good.
