7 Signs Your Business Email Has Been Compromised (And What to Do Next)

Written By Shane Grocke

Introduction

Email is the lifeblood of modern business communication. But when it’s compromised, the fallout can be swift and severe—ranging from data breaches to financial loss and reputational damage. If you suspect something’s off, this checklist will help you identify the signs of email compromise and guide you on what to do next.

Checklist: 7 Signs Your Business Email Has Been Compromised

1. Unusual Login Activity

Symptom: Logins from unfamiliar locations, devices, or times.
Why It Matters: Cybercriminals often access accounts remotely using stolen credentials.
What to Do:

  • Check your email platform’s login history.

  • Enable multi-factor authentication (MFA).

  • Review access logs via your Microsoft 365 or Google Workspace admin console.

2. Unexpected Password Changes

Symptom: You’re locked out or receive alerts about password resets you didn’t initiate.
Why It Matters: This is a classic sign of account takeover.
What to Do:

  • Immediately reset your password using a secure device.

  • Notify your IT provider or security team.

  • Run a full security scan on your device.

3. Missing or Deleted Emails

Symptom: Important emails vanish or are found in the trash/spam folder.
Why It Matters: Attackers often delete traces of their activity.
What to Do:

  • Check email rules and forwarding settings.

  • Restore deleted items if possible.

  • Audit mailbox permissions.

4. Suspicious Outgoing Emails

Symptom: Clients or colleagues report receiving strange emails from your account.
Why It Matters: Your account may be used to spread malware or phishing links.
What to Do:

  • Review your sent items and outbox.

  • Alert recipients not to click any suspicious links.

  • Consider temporarily disabling the account.

5. Unauthorized Email Forwarding Rules

Symptom: Emails are being auto-forwarded to unknown addresses.
Why It Matters: This allows attackers to monitor communications silently.
What to Do:

  • Check for hidden rules in your email settings.

  • Remove any unfamiliar forwarding addresses.

  • Revoke access tokens and app permissions.

6. Security Alerts from Your Provider

Symptom: You receive alerts about suspicious activity from Microsoft, Google, or your email security provider.
Why It Matters: These alerts are often triggered by real threats.
What to Do:

  • Don’t ignore them—investigate immediately.

  • Use tools like # to get deeper insights.

  • Escalate to your IT support or MSP.

7. Complaints About Spam or Phishing from Your Domain

Symptom: Your domain is flagged for sending spam or phishing emails.
Why It Matters: This can damage your sender reputation and block legitimate emails.
What to Do:

  • Check your domain’s SPF, DKIM, and DMARC records.

  • Use tools like MXToolbox to scan for blacklisting.

  • Consider a full email hygiene audit.

What to Do Next

If you’ve ticked off one or more of these signs, your email may be compromised. Don’t panic—take action:

  1. Isolate the account – Change passwords and revoke access.

  2. Scan for malware – On all devices used to access the account.

  3. Audit email settings – Look for rules, forwards, and permissions.

  4. Notify stakeholders – Let clients and staff know if they may be affected.

  5. Review our # – For a full recovery roadmap.

Protect Your Business Going Forward

  • Use Acronis Email Security to block threats before they reach your inbox.

  • Train staff on phishing awareness.

  • Schedule regular security assessments.

Not Sure If You’ve Been Compromised?

Get peace of mind with a phone call to me - 08 8291 5000. We’ll review your email setup, scan for compromise indicators, and recommend next steps.

Shane Grocke
Previous

How Acronis Email Security Protects Adelaide Businesses from Phishing Attacks
Next

How South Australian Businesses Can Prevent Costly Email Scams