← Back to TeraDef

Email Hacked — What to Do if Your Organization's Email Is Compromised

Business Email Compromise (BEC) is the #1 cyber attack vector in 2026. If your organization's email has been hacked — whether you're an NGO, hospital, school, or small business — here's exactly what to do right now.

If the attacker sent payment requests from your email: Contact every recipient immediately by PHONE (not email). Tell them to ignore any payment instructions sent from your address. If money was already transferred, contact the receiving bank within 24 hours — wire transfers can sometimes be reversed.

How to know if your work email was hacked

Your password no longer works — the attacker changed it to lock you out.
Colleagues or contacts report phishing emails from you — messages you never sent asking for money, credentials, or urgent action.
Unfamiliar forwarding rules — attackers set up auto-forwarding to their own address so they silently receive copies of all your email.
Login alerts from unknown locations — emails saying "new sign-in from [country you've never been to]."
Emails are missing — the attacker deleted messages to cover their tracks.
Sent folder has messages you didn't write — payment requests, data requests, or links sent to your contacts.

Phase 1 — Immediate response (first 15 minutes)

Stop the bleeding
1
Reset your password immediately — from a DIFFERENT device (not the one that may be compromised). Use a strong, unique password you've never used before. If you can't log in, use your email provider's account recovery.
2
Enable 2FA right now. Microsoft 365: Security → Two-step verification. Google Workspace: Security → 2-Step Verification. Use an authenticator app (not SMS). This single step blocks 99% of future attacks.
3
Check and delete forwarding rules. Attackers ALWAYS set up email forwarding. In Outlook: Settings → Mail → Forwarding → disable any rules you didn't create. In Gmail: Settings → Forwarding → remove unknown addresses. Also check: Settings → Filters — delete any filter forwarding to unknown addresses.
4
Revoke all active sessions. Microsoft 365: Security → Sign-in activity → Sign out everywhere. Google: Security → Your devices → Sign out of all other sessions. This kicks the attacker out immediately.

Phase 2 — Damage assessment (first hour)

Understand what happened
5
Check your Sent folder. Read every message the attacker sent. Look for: payment redirect requests, credential phishing links, data requests, or messages to vendors/partners. Screenshot everything.
6
Check email rules and filters. Beyond forwarding: look for rules that auto-delete incoming emails (attackers use this to hide replies from people they scammed), rules moving emails to obscure folders, or rules that mark messages as read.
7
Review connected apps. Microsoft 365: Settings → Integrated apps. Google: Security → Third-party apps. Remove any app you don't recognize — attackers install OAuth apps that maintain access even after password change.
8
Alert everyone the attacker contacted. Call (don't email) every person who received a message from the attacker. Warn them not to click links, open attachments, or process payment requests. If payment was made, help them contact their bank immediately.

Phase 3 — Organization-wide response

Protect the whole organization
9
Alert your entire organization. Send an announcement (from a verified clean account) warning staff about the compromise. Tell them to be suspicious of any recent emails from the affected account and to verify payment requests by phone.
10
Force password reset for related accounts. If the attacker had access to admin credentials, shared mailboxes, or distribution lists — reset those too. If anyone else uses the same password (common in small orgs) — they must change theirs immediately.
11
Check if data was exfiltrated. Review login logs for bulk email downloads, unusual attachment access, or large data transfers. In Microsoft 365: Admin → Audit log. In Google Workspace: Admin → Reports → Audit → Drive/Email.
12
Report the incident. To your national CERT, law enforcement (FBI IC3 in US, Action Fraud in UK), and your email provider. If donor/patient/student data was accessed, you may have legal notification obligations.

What is Business Email Compromise (BEC)?

BEC is the most financially damaging cyber attack type worldwide. Attackers either hack into a real email account or create a lookalike address (ceo@teradef.com vs ceo@teradef.co) to impersonate trusted people. They then send convincing payment requests, fake invoices, or data requests to employees, vendors, or partners.

In 2026, BEC attacks increasingly use AI to write grammatically perfect, contextually aware emails in local languages — making them nearly indistinguishable from real messages. NGOs, hospitals, and small businesses are prime targets because they often lack email security tools and verification procedures.

Prevent future email compromise

Enable 2FA on every email account in your organization. This is the single most effective defense. Use authenticator apps, not SMS.
Implement a payment verification policy. Any payment request over a threshold (e.g., $500) must be verified by phone call to a known number — never via email alone.
Train staff to recognize BEC. Key red flags: urgency ("wire this today"), secrecy ("don't tell anyone"), changes to payment details ("use this new account"), and requests from executives that bypass normal processes.
Use unique passwords for every account. Use a free password manager like Bitwarden. Never reuse your email password anywhere.
Check your email in TeraDef's Breach Check. If your email appeared in a data breach, attackers may already have your credentials.

Email compromised right now?

TeraDef's Cyber First Aid gives you personalized, step-by-step guidance — free, 24/7.

Get Free Emergency Help →