It starts with a phone call from a client asking why you just emailed them a strange invoice. Or you notice emails in your Sent folder you never wrote. Or you get locked out of your own account entirely. However you find out, the moment you realize your business email has been compromised is a stressful one — and the next 30 minutes matter a lot. Here's exactly what to do.
Dealing with this right now? Skip to the step-by-step section below. The first thing to do is change your password immediately — even before you finish reading this article.
How business email gets compromised
Before the fix, a quick word on the cause — because it affects what you need to clean up. Business email accounts are typically compromised one of four ways:
- Phishing: An employee entered their credentials on a fake login page. This is the most common cause by a wide margin.
- Password reuse: The same password used for your email was leaked in a breach of another service (a retailer, a software vendor, an old account somewhere). Attackers buy these credential lists and try them on Microsoft 365 and Google accounts automatically.
- No multi-factor authentication: Even with a strong, unique password, an account without MFA can be accessed by anyone who obtains the password. MFA stops this entirely.
- Malware on a device: A keystroke logger or credential-stealing program captured the password directly from an infected computer.
Knowing which one applies to your situation helps you know what else might be at risk. We'll come back to this at the end.
Step-by-step: what to do right now
Step 1 — Change the password immediately
If you still have access to the account, change the password right now. Use something long and unique — a password manager can generate one. Do not reuse any password you've used before.
If you're locked out, use your email provider's account recovery process. For Microsoft 365, go to account.microsoft.com and use the recovery options. For Google Workspace, contact your domain admin or use the Google Workspace Admin Console. If you don't have admin access, call your IT provider immediately.
Step 2 — Enable or re-verify multi-factor authentication
Once you're back in, turn on MFA if it wasn't on — and even if it was, check that the MFA phone number or authentication app hasn't been changed by the attacker. Attackers sometimes change MFA settings before locking you out so they can keep access after you recover the password.
Step 3 — Check for email forwarding rules
This is the step most people miss. A common attacker move is to set up a hidden forwarding rule that quietly sends copies of all your incoming email to an address they control — so they can keep reading your email even after you change the password. In Microsoft 365, check this under Mail Settings → Forwarding. In Gmail/Workspace, check Settings → Forwarding and POP/IMAP. Delete any rules you didn't create.
While you're there, also check for inbox rules that automatically delete certain emails (like security alerts from Microsoft), mark emails as read, or move them to obscure folders.
Step 4 — Review connected apps and active sessions
In Microsoft 365, go to My Account → Security → Sign-in activity and look for any logins from unfamiliar locations or devices. Sign out all other sessions. In the Admin Console, check OAuth app permissions — attackers sometimes authorize third-party apps to your account that maintain access independently of your password.
Step 5 — Check what was sent from your account
Review your Sent folder and, if you have admin access, the email audit logs. This tells you two critical things: what was sent on your behalf (potential fraud exposure with clients) and whether any sensitive files or data were exfiltrated via email.
Step 6 — Notify clients who may have received fraudulent emails
If the attacker sent emails impersonating you — especially anything involving invoices, payment instructions, or requests for sensitive information — you need to notify those recipients promptly and directly (by phone if possible, not just by email). Be straightforward: your email was compromised, the email they received was not from you, they should not act on any instructions it contained.
Wire fraud is the big risk here. Business email compromise (BEC) is one of the costliest cybercrimes in the US. Attackers often use a compromised email to redirect payment instructions — telling a client "our bank account changed, please wire to this new account." If any such emails went out, contact those clients immediately. If money moved, contact your bank and the FBI's Internet Crime Complaint Center (IC3.gov) the same day.
Step 7 — Change passwords on other accounts that used the same password
If the compromise was due to password reuse, assume any account with the same password is also at risk. Prioritize: banking, accounting software, payroll, your domain registrar, and any other critical business accounts.
Step 8 — Scan the device that was used
If you suspect malware was involved, the compromised computer needs to be scanned with a reputable tool — and in serious cases, reimaged entirely. Continuing to use an infected device means the attacker can re-capture credentials no matter how many times you change passwords.
What to tell your team
If this happened to one employee, it could happen to others. Now is a good time to send a quick message to your team explaining what happened (in general terms), reminding them not to enter credentials on unfamiliar pages, and asking them to verify their own MFA settings. You don't need to be alarmist — a brief, factual message goes a long way.
How to make sure it doesn't happen again
The fix is straightforward and relatively inexpensive:
- MFA on every account, required for everyone. This stops the vast majority of account compromise attacks even if the password is stolen.
- A password manager for your team. When each account has a unique, complex password, credential stuffing attacks fail. LastPass Business, 1Password Teams, and Bitwarden for Business all run $3–$5/user/month.
- Basic phishing awareness training. One short training video and a simulated phishing test per quarter significantly reduces the click rate on real phishing emails.
- Regular review of forwarding rules and connected apps. Takes 10 minutes once a quarter, catches a lot of problems early.
Etoc IT handles all of this as part of our managed plans — MFA enforcement, endpoint protection, security awareness training, and regular account audits. If your business is in the Bardstown or Nelson County area and you'd like us to check your current setup, get in touch. We'll tell you straight what's at risk and what it would take to fix it.
Think your email security might have gaps?
We'll review your Microsoft 365 or Google Workspace setup and tell you exactly what needs attention — no obligation.
Request a Free Security Review