Cairitech IT Support and Services Logo

Leader in IT Support & Cybersecurity Across Ontario

Cairitech IT Support and Services Logo
Cairitech blog cover image

Blog

How Do I Know If My Email Has Been Hacked? 8 Warning Signs Every Business Should Watch For

Powered By Cairitech

3 min read posted on 05/31/26

Your email account is the front door to your business. It holds client conversations, invoices, password resets, contracts, and access to half your other software. When attackers get in, they don't always announce themselves — they sit quietly, watch how you communicate, and strike when the timing pays them the most (usually right before a wire transfer or invoice goes out).

Here are eight warning signs you may have been compromised, what to do if your email is hacked in the first hour, and how to stop it from happening again.

1. You're suddenly locked out of your own inbox

If your password stops working out of nowhere and you didn't change it, assume someone else did. This is one of the most obvious signs — and one of the loudest. Use your provider's recovery process from a clean device, then move to step nine below.

2. Login alerts from places you've never been

Microsoft 365 and Google Workspace both notify you when your account is accessed from a new device, IP address, or country. A login from another province, the U.S., or overseas — when you're sitting in Aurora — is a serious red flag, even if nothing else looks wrong yet.

3. Forwarding or inbox rules you didn't create

This is the quietest, most damaging sign, and the one most owners miss. Attackers often set up a hidden rule that auto-forwards your incoming mail (or anything containing words like "invoice," "wire," or "banking") to an outside address — then deletes it from your inbox so you never see it. Check your forwarding and inbox rules manually. If you find one you didn't make, you're in business email compromise territory.

4. Sent items you don't recognize

Look in your Sent and Deleted folders. Emails you didn't write — especially short ones with links or attachments sent to your contacts — mean an attacker is using your account to phish other people. Your reputation is on the line every minute this continues.

5. Clients or coworkers ask about weird emails "from you"

Sometimes you'll find out from the outside first. A client mentions a strange invoice, an updated banking detail, or a request to buy gift cards — and none of it came from you. Take it seriously the first time someone asks. This is exactly how construction and AEC firms lose six-figure wire payments.

6. MFA prompts you didn't trigger

If your phone is buzzing with multi-factor authentication requests and you're not logging in, someone has your password and is trying to get past the second layer. Never approve a prompt you didn't initiate. Change your password immediately on a different device.

7. Password reset emails for other accounts

Banking, accounting software, CRM, social media — if reset emails start arriving for accounts you didn't ask to reset, it usually means an attacker is in your inbox and is now pivoting to everything connected to it.

8. Emails are disappearing

Messages vanishing from your inbox — particularly security alerts, invoices, or replies you were expecting — is one of the most overlooked hacked email symptoms. It usually means someone else is reading your mail and cleaning up after themselves to stay hidden longer.

What to do if your email is hacked: your first hour

  • Change your password from a clean device, and make it long and unique.

  • Sign out of all sessions in your email account settings.

  • Turn on (or reset) MFA if it isn't already enforced.

  • Review forwarding rules and inbox rules and delete anything unfamiliar.

  • Warn your team and clients before an attacker uses your name to ask them for money.

  • Call your IT provider — the longer an attacker sits inside, the more expensive it gets.

How to stop it from happening again

Most email compromises in small and mid-sized GTA businesses come down to four gaps: weak or reused passwords, no MFA, no email filtering beyond the default Microsoft 365 settings, and no one watching for the warning signs above. Closing those gaps with proper Microsoft 365 hardening, phishing simulation training, and 24/7 monitoring is straightforward — and far cheaper than recovering from a wire-fraud loss or a breach notification.

Frequently asked questions

How do hackers get into your email?

Almost always one of three ways: a password leaked in a previous data breach (and reused on your email), a phishing email that tricked you into entering your credentials on a fake login page, or malware on a device that captured your password as you typed it. MFA blocks most of these — but only if it's actually turned on.

Can my email still be hacked if I have MFA?

Yes, but it's much harder. Attackers can bypass MFA through session-token theft, MFA push fatigue (spamming your phone hoping you tap approve), or by tricking you on a fake login page that captures your code. App-based MFA is stronger than SMS, and conditional access policies in Microsoft 365 add another layer.

What's the first thing to do if my email is hacked?

Change your password from a clean device, then sign out of all sessions. After that, check for forwarding rules, warn your team and clients, and call your IT provider — in that order.

Worried your email might already be compromised?

Cairitech offers a free email security assessment for GTA businesses. We'll review your Microsoft 365 settings, check for hidden forwarding rules, and tell you exactly where you stand — no obligation. Get in touch with our team to book yours.

Call us at 416-361-1441 or schedule a discovery call to get started.

FREE REPORT: IT Buyers Guide

What You Should Expect To Pay For I.T. Support For Your Business (And How To Get Exactly What You Need Without Unnecessary Extras, Hidden Fees And Bloated Contracts)

Popular Reads You Don’t Want to Miss

Blog Cover Image: Cyber Resilience Is Now a Business Requirement for Ontario Manufacturers & Builders

March 29, 2026

Cyber resilience is no longer optional for Ontario manufacturers and builders. Learn how downtime, cyber risk, and outdated IT can quietly threaten your operations—and what smart business leaders are doing in 2026 to stay secure, compliant, and competitive. [Read more]

Blog Cover Image: Inside Look: How Hackers Use AI To Attack Your Business

January 17, 2025

If you think hackers are only targeting Fortune 500 companies, think again. Thanks to artificial intelligence, cybercriminals now have the power to scale their attacks like never before - and small business owners are at the top of their hit list. Here’s how hackers are weaponizing AI... [Read more]

LOCATIONS

Canada

1-2 Vata Court, Aurora, ON

United States

39288 Calle Tonala, Indio, CA

Copyright 2026. CairiTech. All rights reserved.