Signs your business has been hacked
In this guide & where to go next
Part of the Small Business Cybersecurity series. Related: What Is Multi-Factor AuthenticationWhat Is Phishing And How To Prevent It
Want it handled? IT Cares — hands-on managed IT across Canada.
Common signs your business has been hacked include unexpected password or login failures, staff or clients receiving emails you never sent, new admin accounts or forwarding rules you didn't create, sluggish or crashing systems, files suddenly encrypted or renamed, and unexplained bank transactions. Spotting these early — and responding fast — is the difference between a contained incident and a full-blown breach. If several signs appear together, treat it as a live compromise.
Account and email red flags
Email and login systems are usually the first place a compromise shows itself. Watch for:
- Failed logins or lockouts when credentials should work — a sign someone changed them.
- Mailbox rules you didn't set, especially ones that auto-forward or delete messages.
- Contacts reporting spam or odd messages from your address.
- Sign-in alerts from unfamiliar locations or devices.
- MFA prompts you didn't trigger, which often means someone has your password.
These point to credential theft or business email compromise — the most common attack on Canadian SMBs and frequently the prelude to invoice fraud.
System and device warning signs
On the technical side, infected systems often misbehave in tell-tale ways:
- Sudden slowdowns, crashes, or high CPU/network usage from hidden processes.
- New programs, browser extensions, or toolbars nobody installed.
- Security software disabled or unable to update.
- Files encrypted, renamed, or accompanied by a ransom note.
- Pop-ups, redirects, or fake alerts demanding action.
Any one of these can be benign in isolation, but several together — or any sign of disabled security tools — should be treated as a probable intrusion until proven otherwise.
Financial and data red flags
Some of the costliest breaches reveal themselves through money and data rather than machines:
- Unexplained transactions or changed banking details on invoices.
- Suppliers reporting altered payment instructions they received from "you."
- Customer data appearing online or in a third-party breach notice.
- Ransom or extortion demands referencing your files.
- Unusual data transfers or large outbound traffic at odd hours.
Because these often surface days or weeks after the initial breach, financial monitoring and supplier-verification rules act as an important early-warning system alongside technical alerts.
What to do the moment you suspect a breach
Speed and order matter. A clear-headed response limits damage:
- Isolate affected devices from the network, but do not wipe them — preserve evidence.
- Reset passwords and revoke active sessions for affected accounts.
- Engage IT or a security provider to investigate scope and contain the threat.
- Check backups and confirm they are clean and reachable.
- Assess legal duties: under PIPEDA and Quebec's Law 25, breaches of personal data may require reporting to regulators and affected individuals.
Document every action with timestamps. That record is essential for investigation, insurance claims, and demonstrating due diligence to regulators.
FAQ
How quickly should I respond if I think we've been hacked?
Immediately. The faster you isolate affected systems and reset credentials, the less data attackers can steal or encrypt. Many breaches cause the most damage in the hours after access is gained. Don't wait for certainty — contain first, investigate second. A measured but prompt response almost always limits the cost and scope of an incident.
Should I turn off or wipe an infected computer?
Disconnect it from the network, but avoid wiping or rebuilding it right away. A forensic look at the machine can reveal how attackers got in, what they accessed, and whether other systems are affected. Wiping destroys that evidence and may leave the underlying vulnerability open. Isolate, preserve, and let IT or a security provider investigate first.
Do I have to report a breach in Canada?
Often, yes. Under PIPEDA, organizations must report breaches of personal information to the Privacy Commissioner and notify affected individuals when there is a real risk of significant harm. Quebec's Law 25 imposes similar, stricter duties. Failing to report can bring penalties, so assess your obligations and document your decisions as soon as a breach is suspected.