Is Your Business Email Compromised? 7 Signs to Check

Most people picture a hacked email as something loud — a locked screen, a ransom note, your contacts flooded with spam. Real business email compromise is the opposite. It's quiet. An attacker who breaks into your inbox makes money by staying invisible: reading your messages, watching for an invoice or a wire, and waiting. By the time anyone notices, the money is usually gone.

That patience is exactly why this works. The FBI's Internet Crime Complaint Center logged $2.77 billion in business email compromise losses in 2024 alone, across 21,442 reported cases — and nearly $8.5 billion over the prior three years combined. It's one of the most expensive crimes a small business can fall victim to, and it almost never starts with anything dramatic.

So the real question isn't "will I see an obvious hack." It's: would I even notice if my email were compromised right now? Here are the signs that matter, and how to check.

The 7 signs your business email has been compromised

1. A mail rule you didn't create

This is the single most important one, and the one almost everyone misses. After breaking in, attackers create an inbox rule that quietly forwards or deletes certain emails — usually anything containing words like "invoice," "payment," "statement," "wire," or "past due." Microsoft and security firm Red Canary both flag these auto-forwarding rules as a classic sign of a compromised mailbox. The point is to hide the crime from you while it's happening: replies to fraudulent invoices get swept into a folder you never open, or sent straight to the attacker. If you check one thing today, check your rules.

2. Emails in Sent or Deleted that you didn't send

Look at your Sent Items and Deleted Items folders. Messages you don't recognize — especially short replies about payments or password resets — mean someone else has been operating your account. Attackers often delete the security alerts and reset emails their own activity triggers, so an empty or oddly tidy Deleted folder can be a clue too.

3. People reply to messages you never sent

A customer, colleague, or supplier asks about an email "you" sent — a strange link, an urgent request to change bank details, an attachment. If your contacts are getting messages you didn't write, your account (or one that's spoofing you) is being used to attack the people who trust you.

4. Sign-ins from places and devices that aren't you

Both Microsoft 365 and Google Workspace keep a sign-in log. A successful login from another country, an unfamiliar device, or an IP address you don't recognize — particularly at odd hours — is a strong indicator. One failed login from abroad is normal background noise; a successful one is not.

5. Your password suddenly stops working

If you're locked out for no reason, or you get a password-change confirmation you didn't request, treat it as an emergency. Changing the password to lock out the real owner is often the first thing an attacker does once they decide to stop hiding.

6. MFA prompts you didn't trigger

If your phone buzzes with a login approval request when you're not logging in, someone already has your password and is trying to get past your second factor. Never approve a prompt you didn't start — and treat each one as evidence the password is burned.

7. Your address shows up in a data breach

Most account takeovers start with a password leaked from some other site you reused it on. You can check your address for free at Have I Been Pwned. A hit doesn't mean your email is hacked today, but if you reused that password anywhere, assume it's known and change it.

How to check in 15 minutes

You don't need a security team to run a basic check. Sit down with the account and work through this list.

• Check your forwarding and rules. In Microsoft 365: Settings → Mail → Rules and Forwarding. In Gmail/Google Workspace: Settings → Filters and Blocked Addresses and Forwarding and POP/IMAP. Delete anything you didn't set up.
• Review recent sign-ins. Microsoft: your account's Sign-in activity. Google: Security → Recent security activity and "last account activity" at the bottom of Gmail. Look for unfamiliar locations or devices.
• Scan Sent and Deleted folders for messages you don't recognize.
• Check your recovery details — backup email and phone number. Attackers swap these so they can keep the account even after you reset the password.
• Run your address through Have I Been Pwned.

If everything's clean, good — turn on multi-factor authentication if you haven't, and you've spent 15 minutes well. If something's off, move fast.

What to do right now if it's hacked

Order matters here. Do these in sequence.

1. Change the password — from a device you trust, not the possibly-infected one. If you're locked out, use the "forgot password" flow to reclaim the account.
2. Turn on multi-factor authentication if it isn't already. This is what actually keeps the attacker out once the password is reset. Note that MFA fatigue attacks try to bypass it, so use an app or hardware key over SMS where you can.
3. Delete every rule and forwarding address you didn't create. Resetting the password does not remove a mail rule — the attacker set it precisely so they keep visibility after you change the password.
4. Sign out all sessions. Both Microsoft and Google have a "sign out everywhere" option that kills the attacker's active login.
5. Fix recovery details back to yours.
6. Warn your contacts — especially anyone in finance — to verify any recent payment or bank-detail requests by phone before acting on them.
7. If money moved, call your bank immediately and report it. Speed is everything; some wire transfers can be recalled within a short window. In the US, also report it to the FBI at ic3.gov.

How to stop it happening again

The same few controls block the overwhelming majority of these attacks:

• MFA on every account, app- or key-based, no exceptions for the boss.
• A unique password per site, stored in a password manager, so one leaked breach can't unlock your email.
• A standing rule for money: any change to bank details or any unusual wire gets verified by a phone call to a known number — never by replying to the email.
• Someone actually watching the logs. The hard part of business email compromise isn't blocking it — it's noticing it, because the attacker is built to be quiet.

That last point is where most small businesses are exposed. A new mail rule or a sign-in from an unusual country generates a signal, but only if someone or something is watching for it. This is the gap a managed detection and response service is meant to close — continuously monitoring your email and identity platform so a quiet compromise doesn't stay quiet for weeks. It's the core of what the IronCastle platform watches for, and you can see how our SOC handles account takeover if you want a second set of eyes on it. Even if you never buy a thing, the checklist above will catch most of what matters.

Run the 15-minute check today, while it's fresh. The whole point of a compromised inbox is that it looks completely normal until the day it doesn't — and by then the money has usually already moved.