Email Hacked or Compromised

Someone gained access to a business email account, a phishing attack succeeded, or you suspect business email compromise (BEC). Act fast — email access can lead to financial fraud, data theft, and account takeover.

Call Now: (587) 318-0019

✓Do This Right Now

Change the password immediately

Change the compromised account's password from a DIFFERENT device (not the potentially compromised one). Use a strong, unique password. If you can't change it, the attacker may have already changed it — call us.

Enable multi-factor authentication (MFA)

If MFA isn't already enabled, turn it on now. This prevents the attacker from using the stolen password even if they still have it.

Check sent items and rules

Look at the Sent folder for emails you didn't send (especially to clients, vendors, or banks). Check email rules — attackers often create forwarding rules to silently copy all your email to their account.

Warn your contacts

If the attacker sent emails from your account, notify those recipients immediately. They may receive phishing emails or fake invoices that appear to come from you.

Call us

Our team at (587) 318-0019 can audit the full extent of the compromise, check for forwarding rules, revoke attacker sessions, and secure the account properly.

✗Don't Do This

Don't ignore suspicious login alerts. If Microsoft or Google warned you about an unfamiliar sign-in, take it seriously immediately.

Don't click "unsubscribe" on suspicious emails that arrived during the compromise. They may be phishing attempts designed to look like account notifications.

Don't use the same password on other accounts. If you reused the compromised password elsewhere, change those accounts too — attackers try stolen credentials on other services.

Don't assume it's contained after changing the password. Attackers often install persistent access (forwarding rules, OAuth apps, delegate access) that survives a password change.

How We Help

Full account security audit

We audit the compromised account for forwarding rules, delegate access, OAuth app authorizations, mailbox rules, and suspicious sign-in history. We revoke all active sessions.

Assess scope of compromise

Did the attacker access just email, or also SharePoint, OneDrive, Teams? Did they download contacts or files? Did they send emails to clients? We determine the full blast radius.

Check for financial fraud

Business Email Compromise (BEC) often targets wire transfers and invoice payments. We check if the attacker sent fake invoices, changed banking details, or initiated fraudulent requests to your clients or accounting team.

Secure all accounts

We implement MFA across the organization, reset compromised credentials, configure conditional access policies, and enable audit logging to detect future unauthorized access.

Help with notification obligations

If personal data was accessed, PIPEDA may require breach notification. We help you assess what data was exposed and support your legal team with documentation.

Frequently Asked Questions

How do I know if my email was actually hacked?

Signs of email compromise: emails in your Sent folder you didn't send, password changed without your knowledge, contacts telling you they received strange emails from you, new forwarding rules you didn't create, unfamiliar sign-in locations in your account activity log, or MFA prompts you didn't initiate.

What is Business Email Compromise (BEC)?

BEC is when an attacker gains access to a business email account and uses it for financial fraud — typically by sending fake invoices to your clients, requesting wire transfers from your accounting team, or redirecting payments to their bank accounts. According to the FBI's 2023 Internet Crime Report (ic3.gov), BEC caused over $2.9 billion in reported losses — making it one of the most financially damaging cyberattacks and it often goes undetected for days.

Can the attacker still access my email after I change my password?

Possibly. Attackers install "persistence mechanisms" — email forwarding rules, OAuth app access, and delegate permissions that survive password changes. Simply changing your password is not enough. You need a full security audit to find and remove all unauthorized access. This is why we check rules, apps, and active sessions as part of our response.

Should we notify clients if the attacker sent emails from our account?

Yes, immediately. If the attacker sent fake invoices or phishing emails from your account, your clients are now targets. A quick, honest notification protects them and protects your business relationship. We can help you draft the notification.

How do we prevent email compromise in the future?

The most effective protections: multi-factor authentication on all accounts (Microsoft reports this blocks over 99% of automated account attacks (Microsoft Security Blog, 2019)), conditional access policies that restrict sign-in by location and device, advanced email filtering that catches phishing before it reaches inboxes, and regular security awareness training for all staff.

How much does email compromise investigation cost?

For managed IT clients, incident investigation is included in the service agreement. For non-clients, email compromise investigation and remediation typically costs $1,000-$3,000 depending on the number of affected accounts and scope of the compromise. This is a fraction of the potential financial loss from undetected BEC fraud.

Other IT Emergencies

Ransomware Attack Data Loss Server Down Slow Systems

Prevent this from happening again. Multi-factor authentication, email filtering, and security training prevent most email compromises before they happen.

Learn About Email Security