7 Warning Signs Your Business Has Already Been Breached
When people picture a cyberattack, they imagine something loud and obvious — a dramatic lockout screen, an alarm going off. In reality, most attackers work quietly. They get in, look around, and stay hidden for weeks or even months before they act. That gap is called dwell time, and it is exactly why “how do I know if my business has been hacked?” is such an important question.
Here are seven warning signs that often mean an attacker is already inside.
1. Staff notice account activity they didn’t cause
Password reset emails nobody requested, security alerts for logins they don’t recognize, or being signed out unexpectedly. Individually these are easy to dismiss — together they suggest someone is testing or already using your credentials.
2. Logins from unusual places or at odd hours
A sign-in from another country, or activity at 3am when your team is asleep, is a classic indicator of a compromised account. Most business tools record this information; the problem is that nobody is looking at it.
3. Email rules and forwarding you didn’t set up
After taking over a mailbox, attackers often create hidden rules that auto-forward or delete messages — so they can monitor conversations or hide their own activity. Unexpected forwarding rules are a strong red flag.
4. Contacts receive messages you never sent
If clients or colleagues ask you about a strange email or invoice “from you,” your account or domain may be compromised and being used to attack others.
5. Devices slow down, crash, or run unfamiliar programs
Sluggish machines, unexpected pop-ups, or software you don’t recognize can indicate malware running quietly in the background.
6. Security tools get switched off
Attackers routinely try to disable antivirus, endpoint protection, or backups before they strike. If protective software is mysteriously turned off or out of date, treat it as suspicious.
7. Files are renamed, encrypted, or missing
By the time files are locked or a ransom note appears, the attacker has usually been inside for a while. This is the loudest sign — and the most expensive.
What to do if you recognize these signs
One sign on its own may be harmless. Several together, or even one you genuinely can’t explain, deserves a proper investigation — not a shrug. Don’t wipe or reboot the machines involved (you may destroy evidence), and don’t assume it’s contained just because it looks quiet.
The reason these signs go unnoticed for so long is that nobody is watching for them around the clock. That is precisely what continuous monitoring is for.
If you think something is wrong right now, see our emergency incident response guide, or get in touch and we’ll help you find out for certain. The earlier a breach is caught, the less it costs.