What to Do If Your Business Email Is Compromised

By: Irina Shvaya | April 27, 2026

You open your inbox and something feels off. Sent messages you didn’t write. Password reset notifications you didn’t request. A vendor asking why you sent them new wire instructions. Your stomach drops — your business email has been compromised.

Business email compromise (BEC) is one of the most financially devastating cybercrimes targeting small and mid-sized businesses today. According to the FBI’s Internet Crime Complaint Center (IC3), BEC attacks accounted for $2.9 billion in reported losses in 2023 alone — making it the costliest category of cybercrime by a wide margin. And those are only the cases that get reported.

The good news: if you act fast and follow the right steps, you can contain the damage, recover your accounts, and harden your defenses so it doesn’t happen again. Here’s exactly what to do — and when to do it.

Key Takeaways

  • Change your password and revoke all active sessions immediately — every minute counts.
  • Enable two-factor authentication (2FA) before doing anything else with the account.
  • Check email forwarding rules and filters — attackers often set silent redirects to maintain access.
  • Review recent financial transactions and alert your bank if anything looks suspicious.
  • Notify your contacts so they don’t fall for fraudulent messages sent from your account.
  • Document everything and report financial losses to the FBI’s IC3 at ic3.gov.
  • Bring in professional help to audit your entire web presence and infrastructure for additional vulnerabilities.

Step 1: Change Your Password Immediately

This is your first priority — not in five minutes, not after lunch. Right now.

Choose a strong, unique password that is at least 16 characters long and includes a mix of uppercase letters, lowercase letters, numbers, and symbols. Do not reuse a password from any other account.

If you use the same password (or a similar one) for other business accounts, change those too. Attackers frequently try compromised credentials across multiple platforms — a technique known as credential stuffing.

Pro tip: Use a password manager like 1Password, Bitwarden, or LastPass to generate and store strong passwords. If your team doesn’t use one yet, this incident is your sign to start.

Step 2: Revoke All Active Sessions

Changing your password doesn’t automatically kick out an attacker who’s already logged in. Most email platforms (Google Workspace, Microsoft 365, etc.) allow you to view and terminate active sessions.

Here’s how:

  • Google Workspace: Go to your Google Account → Security → “Your devices” → Sign out of all other sessions.
  • Microsoft 365: Go to My Account → Security info, and use the “Sign out everywhere” option. An admin can also do this from the Microsoft 365 Admin Center.

Until you revoke active sessions, the attacker may still have full access to your inbox — even with your new password in place.

Step 3: Enable Two-Factor Authentication (2FA)

If you didn’t have 2FA enabled before, this is non-negotiable going forward. Two-factor authentication requires a second verification step — usually a code from an authenticator app or a physical security key — making it dramatically harder for attackers to access your account even if they steal your password.

Use an authenticator app (Google Authenticator, Microsoft Authenticator, or Authy) rather than SMS-based 2FA. SIM-swapping attacks can intercept text message codes, while app-based codes are far more secure.

For maximum protection, consider hardware security keys like YubiKey for your most critical accounts.

Step 4: Check Email Forwarding Rules and Filters

This step is critical, and it’s the one most people miss. Sophisticated attackers don’t just read your email — they set up silent forwarding rules that send copies of incoming messages to an external address. This lets them monitor your communications even after you’ve changed your password.

Check for:

  • Forwarding addresses you didn’t add (Settings → Forwarding in Gmail, or Mail Flow rules in Microsoft 365)
  • Inbox rules or filters that automatically move, delete, or redirect messages
  • Delegate access — unauthorized users who’ve been granted access to your mailbox
  • Connected apps or third-party integrations with mail permissions

Delete any rule, forwarding address, or connected app you don’t recognize. If you’re unsure whether something is legitimate, remove it and re-add it later if needed.

Step 5: Review Financial Transactions

BEC attacks are almost always financially motivated. Attackers frequently use compromised email to:

  • Send fake invoices to your clients or vendors
  • Request wire transfers or changes to payment details
  • Access linked financial accounts using password reset emails
  • Intercept legitimate payment communications

Take these financial actions immediately:

  • Review your business bank and credit card statements for unauthorized transactions.
  • Contact your bank’s fraud department if you spot anything suspicious — the sooner you call, the higher the chance of recovering funds.
  • If wire transfers were initiated, ask your bank to contact the receiving institution to freeze the funds. Time is critical — the FBI reports that recovery rates are significantly higher when reported within 24-48 hours.
  • Check payroll systems to ensure no unauthorized changes were made to direct deposit information.

Step 6: Notify Your Contacts

This feels uncomfortable, but it’s essential. If an attacker had access to your email, they may have sent messages to your clients, vendors, or partners — and those messages could contain malware links, fake invoices, or fraudulent payment instructions.

Send a clear, honest notification to:

  • Clients and customers who may have received messages from your account
  • Vendors and suppliers — especially those you exchange payment information with
  • Internal team members who may have received instructions from the compromised account

A simple, transparent message works best: “Our email account was temporarily compromised. If you received any unusual messages or payment requests from us, please disregard them and contact us directly to verify.”

Being upfront protects your relationships and your reputation. People understand — BEC attacks happen to businesses of all sizes.

Step 7: Document Everything

Thorough documentation protects you legally, supports insurance claims, and helps investigators track down the attackers.

Record the following:

  • When you first noticed the compromise (date and time)
  • What unauthorized activity occurred (emails sent, data accessed, financial transactions)
  • Screenshots of suspicious forwarding rules, login activity, and sent messages
  • IP addresses and locations from the login history (most email providers show this)
  • A list of everyone who was notified and when

Save everything in a secure location — not in the compromised email account.

Step 8: Report to the FBI’s IC3

If your business suffered financial loss from a BEC attack, report it to the FBI’s Internet Crime Complaint Center at ic3.gov. This is the primary federal resource for reporting cybercrime.

When filing your IC3 complaint, include:

  • Details of the fraudulent transaction (amount, date, recipient account)
  • Any email headers or IP addresses associated with the attack
  • Communication records related to the fraud

If the financial loss is significant and recent (within 72 hours), also contact your local FBI field office directly. The FBI’s Recovery Asset Team (RAT) has successfully frozen and recovered funds in many BEC cases — but speed is everything.

You should also consider filing a report with your state attorney general’s office and local law enforcement.

BEC Recovery Timeline: What to Expect

Recovery doesn’t happen overnight. Here’s a realistic timeline:

  • Timeframe
  • Action
  • First 30 minutes
  • Change password, revoke sessions, enable 2FA
  • First 2 hours
  • Check forwarding rules, review financial activity, contact your bank
  • First 24 hours
  • Notify contacts, document the incident, report to IC3
  • Days 2-7
  • Full audit of all connected accounts, review access logs, assess data exposure
  • Weeks 2-4
  • Implement long-term security improvements (email authentication, team training, security policies)
  • Ongoing
  • Regular monitoring, periodic security reviews, phishing awareness training

When to Bring in Professional Help

Not every business has an in-house IT team — and even those that do may not have incident response expertise. Consider bringing in professionals if:

  • You’re unsure whether the attacker still has access to your systems
  • Financial losses have occurred and you need forensic evidence
  • Your website or other digital assets may also be compromised
  • You need to implement proper email authentication protocols like DMARC, SPF, and DKIM to prevent spoofing
  • You want a thorough security audit of your entire web presence

At eSEOspace, we see the aftermath of these attacks regularly. Business owners come to us after a breach only to discover their website was also vulnerable — outdated plugins, no SSL enforcement, weak admin passwords. A comprehensive audit covers not just your email but your entire digital footprint.

If your website runs on WordPress or another CMS, our web design & maintenance team can help ensure your site is hardened against the same types of attacks that hit your email.

How to Prevent Future BEC Attacks

Once you’ve recovered, don’t just go back to business as usual. Implement these protections to avoid a repeat:

  • Set up email authentication protocols. DMARC, SPF, and DKIM verify that emails sent from your domain are legitimate and help prevent attackers from spoofing your address. These are essential for any business — learn how they work in our guide to DMARC, SPF, and DKIM.
  • Train your team. Human error is the number one attack vector. Regular phishing protection training helps your team recognize suspicious emails before they click.
  • Use a password manager. Eliminate password reuse across your organization.
  • Enable 2FA on every business account. Email, banking, social media, hosting — all of it.
  • Establish verification procedures. Require phone call confirmation for any wire transfer or payment change request, no matter who it appears to come from.
  • Monitor your accounts. Set up login alerts and review access logs regularly.

For a comprehensive overview of how to protect every aspect of your online presence, check out our Complete Security Guide.

Frequently Asked Questions

How do I know if my business email has been compromised?

Common signs include unexpected password reset emails, messages in your Sent folder you didn’t write, login alerts from unfamiliar locations or devices, complaints from contacts about suspicious emails from your address, and missing emails that may have been deleted by an attacker. If you notice any of these, act immediately — don’t wait to confirm the breach before taking action.

Can I recover money lost in a business email compromise attack?

Recovery is possible but depends heavily on how quickly you act. Contact your bank’s fraud department immediately and ask them to initiate a recall or reversal. File a complaint with the FBI’s IC3 at ic3.gov, especially if the loss exceeds $20,000 — the FBI’s Recovery Asset Team has a strong track record when cases are reported within 48 hours. The longer you wait, the lower the likelihood of recovery.

How long does it take to fully recover from a BEC attack?

Immediate containment (password change, session revocation, 2FA) should take under an hour. A full investigation and remediation typically takes one to four weeks, depending on the scope of the compromise. Long-term security improvements — like implementing email authentication, training your team, and auditing your web presence — are ongoing efforts that should become part of your regular business operations.

Should I notify my customers if my business email was hacked?

Yes, especially if the attacker may have sent messages to your customers or accessed sensitive information. Transparency builds trust. A brief, honest notification explaining what happened, what you’re doing about it, and what they should watch for is always better than staying silent and risking your clients falling victim to follow-up scams.

Need help securing your business after a breach? Our web design & maintenance team can restore and harden your systems — from your website to your email infrastructure. Contact eSEOspace today for a comprehensive security assessment and get your digital presence locked down.

Related: learn more about our SEO services.

Put this into action with eSEOspace

We help businesses grow with maintenance & support that actually performs. Explore the services behind this guide:

Book a free strategy call →

You Might Also like to Read