My Business Email Has Been Compromised — What Are My First Steps?

This Guideline document is provided to you and your organization as a starting point or maturity checkpoint for existing incident response procedures. It is brought to you on behalf of Jim McConnell, Principal Owner, and Ask McConnell, LLC — A Converged Security Services Provider. The content is not meant to cover every circumstance, industry, law, regulation, contractual requirement, threat, environment, or risk, but it provides a starting point for any organization. Please consult with your legal counsel and insurance provider about added requirements. We are not legally protecting these documents; we just ask for credit, shout-outs, and referrals if you find them helpful.

Jim McConnell  |  info@askmcconnell.com  |  askmcconnell.com

My Business Email Has Been Compromised — What Are My First Steps?

Updated: 18 June 2026

Three principles to carry forward from this moment:

  • Never waste a crisis. This event is the most powerful organizational change agent you have had in years. Use it.
  • Trust less — going forward. Verify more. Every time.
  • Two is one, one is none. Single points of failure in your people, process, and technology created this opening. Close them all.

A Business Email Compromise (BEC) attack is not a technology problem. It is a converged failure — of people, process, and technology simultaneously. The steps below are not every step, but they are the most important ones to take in the immediate aftermath of a confirmed or suspected compromise. Move quickly, but do not move alone.

Step One: Contain — Stop the Bleeding First

Do this before you call anyone. Every minute an attacker has active access is a minute they can read mail, set forwarding rules, impersonate leadership, or move money. Lock the door first, then make notifications.

  • Lock or disable the compromised account immediately. Do not simply change the password — revoke all active sessions so any attacker currently logged in is forced out.
  • Do not wipe, reset, or reimage any compromised device until a forensic copy has been made. The evidence lives on those machines. Destroying it before it is preserved can harm your legal and insurance position.
  • Preserve everything: do not delete emails, do not empty trash folders, do not clear browser history on affected devices. Instruct all staff on affected systems to do the same until your IT supplier gives the all-clear.
  • If any financial transactions were initiated — wire transfers, ACH payments, invoice changes — contact your bank or financial institution immediately. There is often a very narrow window (sometimes hours) to recall funds before they clear. Do not wait for the board call to make this one.

Notifications — Who to Tell and When

  • Notify your Board of Directors immediately after containment. This is a leadership-level event, not an IT support ticket.
  • Contact your legal counsel. A BEC event may trigger breach notification obligations depending on what data was accessed — your attorney tells you what you are required to disclose and by when. Get them on the phone early.
  • Contact your insurance provider. Cyber liability coverage may apply — but only if you report promptly. Read your policy now, not after the weekend.
  • File a report with local law enforcement and the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov. Federal jurisdiction often applies in BEC cases, especially where funds were transferred.
  • Notify any suppliers whose identity may have been impersonated — or whose communications with your organization were intercepted. BEC attackers frequently pivot to target the other side of a business relationship.
  • Notify affected staff, donors, clients, or partners whose information may have been accessed or whose trust was exploited to further the attack. Be honest, be specific, and communicate early. People find out either way — it is better to hear it from you.

People — Training and Governance

  • Direct your IT supplier to update your security awareness training program immediately — and confirm it includes phishing simulations and social engineering education. Not next quarter. Now.
  • Consider adding a Converged Security Advisor to your Board. This event should not have been your first warning signal. Make sure it is not your last without qualified oversight at the table.
  • From this point forward, establish a standing rule: any request to change payment information, wire funds, or modify any financial account (supplier or internal) must be verified by a live phone call to a known number — never by responding to the email that made the request. Email is the attack surface. Do not use it to verify an email.

Process — What to Change Now

  • Require password resets on all critical accounts immediately. Establish a rotation policy of every 60 to 90 days going forward.
  • Commission a full converged security assessment of the organization by a qualified, certified individual — not your current IT supplier auditing their own work. Independent evaluation only.
  • Document how this incident happened before the urgency fades. Phishing link? Credential reuse? A forwarding rule set months ago? The method tells you where your next gap is. Close it in writing.

Technology — Immediate IT Actions

Engage your IT supplier and direct them to complete each of the following — in writing, with a confirmed completion date on every item:

  • Enable multi-factor authentication (MFA) on all critical applications: Office 365 / Outlook, donor management, HR platforms, project management tools (Monday, Asana, etc.), and any other cloud-based system your organization depends on.
  • Enable MFA on all desktops and laptops — not just email.
  • Configure geolocation restrictions for Office 365. Limit logins to your expected geographic area. A login from an unexpected country at 3 a.m. should trigger an alert or a block — not just a log entry nobody reads.
  • Audit your email authentication records (SPF, DKIM, and DMARC). These are the technical controls that prevent attackers from sending email that appears to come from your domain. If they are not configured — or not set to reject — fix that now. This is one of the most effective and most overlooked controls available.
  • Save all case-related emails — sent, received, and deleted — to a secure offline location before any accounts are reset. These are evidence.
  • Come on-site to scan all devices: PCs, laptops, phones, and printers. Confirm all software and firmware is fully current before leaving.
  • Conduct a full account audit across all critical systems. Look for accounts that should not exist, permissions that should not be active, and access that has never been used.
  • Audit every email forwarding rule in Office 365 and any other email platform in use. Most legitimate organizations have zero forwarding rules. Any rule you did not create is a red flag until proven otherwise — this is one of the most common attacker persistence techniques and one of the most commonly missed.

Passwords — Reset and Restructure

  • Eliminate shared IDs and passwords across the organization. Every individual gets their own credentials — no exceptions.
  • Prohibit password reuse across systems. The same password on your email and your donor database is not a convenience shortcut — it is a master key for an attacker.
  • If a shared credential is operationally unavoidable, store it in a physical Password Diary locked in a secured safe. Not a spreadsheet. Not a sticky note. Not a group text.
  • Individual passwords should be stored in a separate Password Diary, also secured and accessible only to the individual.
  • Require a minimum of 10 characters and structure them as a passphrase: a short phrase combined with a number sequence (quarter, year) and at least one special character. A password that reads like a sentence is far harder to crack than a random string — and far easier for a human to remember.

Related Resources

🖶 To save or print this guide, use your browser’s Print function (Ctrl+P / Cmd+P) and select “Save as PDF” if needed.