Business Email Hacked — What to Do Right Now
Business Email Compromise (BEC) is one of the most common — and most expensive — cyber incidents hitting Australian small businesses. An attacker gets into a Microsoft 365 or Google Workspace mailbox, often via a phished password. They sit quietly, watch the invoice traffic, and then send a fake "updated bank details" email to your clients at exactly the right moment. By the time you find out, the money is gone.
How to Tell If Your Email Has Been Hacked
The most common signs:
- A client tells you they received an email from you with new bank details — and you didn't send it
- You receive a sign-in alert from a country you weren't in (especially overnight)
- Your password has been changed and you didn't change it
- Emails are missing from your Sent folder — attackers often delete their tracks
- You discover inbox rules you didn't create — typically rules that forward emails to an external address or auto-move messages to RSS Feeds
- Two-factor authentication codes are arriving when you're not signing in
- Your account is suddenly sending large amounts of email you didn't write
What to Do in the First Hour
Step 1: Change the Password Immediately
Sign in to account.microsoft.com (or your Google Account) and change the password. Use a long, unique password not used anywhere else. This stops new logins with the old password, but does not kick out anyone already signed in — that's the next step.
Step 2: Sign Out All Sessions
In Microsoft 365, go to My Account → Sign out everywhere. This kicks the attacker (and you) out of all current sessions across all devices. When you next sign in with your new password, you'll be the only one with access.
Step 3: Enable Multi-Factor Authentication
If MFA wasn't already on, enable it now. Use the Microsoft Authenticator app (or Google Authenticator) — not SMS, which can be intercepted. Once MFA is on, even if your new password is stolen, attackers can't sign in.
Step 4: Check for Inbox Rules
In Outlook on the web, click the gear icon → View all Outlook settings → Mail → Rules. Look for any rule you didn't create. Common attacker rules:
- Forward all email with words like "invoice" or "payment" to an external address
- Move all email from specific senders (often your accountant or bookkeeper) to RSS Feeds or Deleted Items
- Delete confirmation messages from anti-fraud or banking systems
Delete every rule you don't recognise.
Step 5: Check Mail Forwarding
Separate from rules, check the forwarding setting: Settings → Mail → Forwarding. Attackers sometimes configure auto-forwarding here so they keep getting your mail even after you change the password. Disable any forwarding you didn't set up.
Step 6: Check Registered Devices and Apps
In Microsoft 365 admin (or your Microsoft Account security page), check Devices and App permissions. Remove any unfamiliar devices or third-party apps that have been granted access. Some attackers register OAuth apps to maintain access even after a password change.
What to Do in the First Day
Tell Your Clients Before They Get a Fake Email
If there's any chance the attacker has been watching invoice traffic, send a short, calm message to your clients and key contacts: "Our email system experienced a security incident. If you receive a message from us with banking changes, please call us to verify before paying." This prevents most BEC fraud — attackers rely on speed and trust.
Review the Audit Log
In Microsoft 365 Compliance Centre, search the audit log for sign-ins, mailbox access, and rule changes on the affected account over the last 30 days. This tells you what the attacker saw and did. For most small businesses, this needs an admin or IT provider — happy to help.
Check Other Accounts
If the password was reused anywhere else, change it there too. Particularly your accounting software, bank login, and any other business-critical accounts. Use a password manager going forward — it's the only sustainable way to keep every account unique.
Assess Notifiable Data Breach Obligations
If personal information about Australians was likely accessed (client names, contact details, financial information, etc.) and serious harm is likely, the incident may be a Notifiable Data Breach under the Privacy Act. You have 30 days to assess and notify the OAIC and affected individuals. This is one of the reasons to engage a cyber-aware IT provider early — getting this wrong is costly.
How to Prevent the Next One
Once you've contained the incident, fix the underlying causes so it doesn't happen again:
- MFA on every account — not just admins, every user. MFA blocks 99%+ of credential attacks.
- Conditional access — block sign-ins from countries you don't operate in. Most BEC attacks originate offshore.
- Phishing protection — Microsoft 365's anti-phishing policies, anti-impersonation, and Safe Links can be tuned to block more than they do by default.
- Staff awareness training — short, regular training on how phishing looks today (not training from 2018).
- Process for bank detail changes — agree internally and with clients that bank details changes are confirmed by phone, never by email alone.
- Microsoft 365 audit logging retained — default retention is short; extend it so a future investigation has enough history.
Need Help Right Now?
If you suspect your business email has been compromised, call us. We help Townsville businesses contain the incident, secure the accounts, assess data exfiltration, and prevent the next one. After-hours response available for active breaches.
Frequently Asked Questions
How do I know if my business email has been hacked?
Common signs: clients receiving emails you didn't send (especially with fake invoice or bank details), sign-in alerts from countries you weren't in, password changes you didn't make, missing emails from your sent folder, or inbox rules you didn't create that auto-forward or auto-delete messages. Any one of these warrants immediate action.
Do I need to notify clients if my business email is hacked?
Often yes. Under the Australian Notifiable Data Breaches (NDB) scheme, if personal information was likely accessed and harm is likely, you must notify the OAIC and affected individuals. Even if it's not legally notifiable, telling clients before they receive a fake invoice from "you" is the right call.
Should I just change my password and move on?
No. Changing the password is step one of about ten. Attackers typically create inbox rules to forward your mail elsewhere, register persistent app access, and sometimes add their own MFA method. If you only change the password, they retain access via these other mechanisms. A proper response checks and removes all of them.
Will my cyber insurance cover this?
If you have cyber insurance, contact them first thing — most policies require notification within a short window and may require you to use their approved incident responders. If you don't have cover, this is a strong argument for getting it; BEC claims are common and policies often pay for incident response, legal advice, and even some loss recovery.
What does Business Email Compromise actually cost?
The ACCC's Scamwatch reports BEC losses in the hundreds of millions per year in Australia. Individual incidents commonly cost businesses $50,000 - $500,000+ when fake invoices are paid by clients or suppliers. Beyond direct loss, there's reputational damage, time to remediate, and potential breach notification costs.
Can the attacker still get back in after I change the password?
Yes, if they registered any persistent access mechanisms — a third-party app permission, an additional MFA method, a recovery email, or a connected device. That's why you need to check and clean up every one of these, not just change the password. Our full incident response includes that cleanup.