Cybersecurity

How do I know if my business has been hacked?

10 warning signs your business may be compromised. Learn what to look for and what to do if you suspect a breach.

centrexIT Team 7 min read

Here’s an uncomfortable truth: The average time to detect a breach is 287 days.

That means attackers could be in your systems for almost 10 months before you notice. Many businesses never detect breaches at all - they learn about them from customers, law enforcement, or when ransomware hits.

Let’s talk about the warning signs.

10 Warning Signs Your Business May Be Compromised

1. Unusual Account Activity

What to watch for:

  • Password resets you didn’t request
  • Logins from unusual locations or times
  • New admin accounts you don’t recognize
  • Locked out of your own accounts
  • MFA prompts you didn’t trigger

Why it matters: Attackers’ first goal is usually accessing accounts, especially admin accounts.

Check: Review your Microsoft 365 or Google Workspace sign-in logs. Look for logins from countries you don’t operate in.

2. Employees Receiving Unusual Emails

What to watch for:

  • Bounce-backs for emails never sent
  • Replies to emails you didn’t send
  • Contacts asking about strange emails from you
  • Phishing emails that know internal details

Why it matters: Compromised email accounts are used to attack customers, partners, and other employees.

Check: Review sent items folders. Check email forwarding rules (attackers often set up rules to hide their activity).

3. Unexpected Software or Browser Extensions

What to watch for:

  • Programs you don’t recognize
  • Browser extensions you didn’t install
  • Software that reappears after deletion
  • Disabled security software

Why it matters: Attackers install tools to maintain access and gather data.

Check: Review installed programs and browser extensions across your organization.

4. Sluggish Computer or Network Performance

What to watch for:

  • Sudden slowdown across multiple computers
  • Network congestion without obvious cause
  • Fans running constantly
  • High CPU usage when idle

Why it matters: Attackers running crypto miners, data exfiltration, or lateral movement consume resources.

Note: Performance issues often have innocent explanations (updates, old hardware), but sudden changes across multiple systems warrant investigation.

5. Strange Network Traffic

What to watch for:

  • High bandwidth usage at odd hours
  • Connections to unusual countries
  • Data leaving your network in large volumes
  • DNS queries to suspicious domains

Why it matters: Data theft and command-and-control communications generate network traffic.

Check: If you have a managed firewall, ask your IT provider for traffic analysis.

6. Unexpected Invoices or Financial Activity

What to watch for:

  • Invoices for services you didn’t purchase
  • Wire transfers you didn’t authorize
  • New payment destinations added to vendor records
  • Vendor complaints about changed payment info

Why it matters: Business Email Compromise (BEC) attacks specifically target financial processes.

Check: Verify any payment changes verbally with vendors using known phone numbers.

7. Customer or Partner Complaints

What to watch for:

  • Customers receiving spam from your address
  • Partners getting fake invoices “from” you
  • Reports of phishing attempts using your brand
  • Angry contacts about emails you didn’t send

Why it matters: Attackers leverage compromised business accounts to target your contacts.

8. Files That Have Changed or Disappeared

What to watch for:

  • Files encrypted (can’t open, strange extensions)
  • Documents modified without your knowledge
  • Missing files or folders
  • New files appearing (especially in system folders)

Why it matters: Ransomware, data theft, and attackers covering their tracks all involve file changes.

9. Security Alerts You Don’t Understand

What to watch for:

  • Antivirus alerts (even if “resolved”)
  • Firewall block notifications
  • Microsoft 365/Google security warnings
  • Unusual login alerts

Why it matters: Alerts often reveal attack attempts. “Resolved” malware alerts might mean you caught one piece while others remain.

Important: Don’t dismiss alerts just because they stopped appearing. Investigate what triggered them.

10. Ransomware Notes (Obvious But Often Too Late)

What to watch for:

  • Files renamed with strange extensions (.encrypted, .locked)
  • Text files demanding payment
  • Desktop backgrounds changed to ransom demands
  • Programs that won’t open

Why it matters: This is the final stage - the attacker is announcing themselves.

What to Do If You Suspect a Breach

Immediate Steps

  1. Don’t panic, but act quickly - Most breaches are containable if caught early

  2. Document what you’re seeing - Screenshots, timestamps, affected systems

  3. Contact your IT provider immediately - This is not DIY territory

  4. Don’t tip off the attacker - If you think email is compromised, don’t communicate about the investigation via email

  5. Preserve evidence - Don’t wipe systems or delete files yet

What Your IT Team Should Do

  1. Isolate affected systems - Prevent spread while maintaining evidence

  2. Assess the scope - What was accessed? What was stolen? How did they get in?

  3. Contain the threat - Reset credentials, block malicious access, patch vulnerabilities

  4. Eradicate the attacker - Remove their tools and access

  5. Recover - Restore from clean backups if necessary

  6. Post-incident review - How did this happen? How do we prevent it?

When to Involve Others

Law enforcement (FBI, local police):

  • Any ransomware attack
  • Financial theft
  • Data theft involving customer information

Legal counsel:

  • Any breach involving personal information
  • Potential regulatory violations
  • Before communicating externally about the breach

Cyber insurance:

  • Notify as soon as you suspect a breach
  • They may provide incident response resources
  • Delayed notification can affect coverage

Customers/affected parties:

  • Required by law in many states if personal data is involved
  • Consult legal counsel on timing and content

How to Get Better at Detection

The best breach is the one you catch early (or prevent entirely).

Improve your detection:

  1. Security monitoring - Someone should be watching alerts 24/7
  2. Log collection - Keep logs from firewalls, email, endpoints
  3. Regular audits - Review admin accounts, forwarding rules, permissions
  4. User training - Teach employees what to report
  5. Penetration testing - Hire professionals to find weaknesses

Quick wins:

  • Enable Microsoft 365/Google Workspace security alerts
  • Review email forwarding rules monthly
  • Check for unknown admin accounts weekly
  • Monitor sensitive data access

The Human Element

Often, the first detection comes from someone noticing something “off.”

Empower employees to report:

  • Strange computer behavior
  • Suspicious emails
  • Requests that don’t make sense
  • Anything that feels wrong

Create a culture where:

  • Reporting isn’t punished
  • “False alarms” are okay
  • Security is everyone’s responsibility
  • Questions are welcome

Getting Help

If you don’t have the expertise in-house:

  • Managed Detection and Response (MDR) services provide professional monitoring
  • Incident response retainers give you experts on call before you need them
  • Your MSP should be your first call if you have managed IT services

Don’t wait until you’re breached to find out if you can respond.

Concerned about your security visibility? Contact us for a security assessment. We’ll tell you what you can see, what you can’t, and how to improve.

Have More Questions?

Our team is here to help. Whether you're evaluating IT services or have a specific question about your technology, we're happy to have a conversation.

Contact Us Browse More Questions

Related Questions

Do small businesses really need cybersecurity?

SMB Cybersecurity

What is ransomware and how do I protect my business?

Ransomware Protection