5 Signs Your Business Has Already Been Hacked (And You Don't Know It)
5 Signs Your Business Has Already Been Hacked (And You Don't Know It)
Here's a number that should keep you up tonight.
**194 days.** That's the average time it takes a business to even realize they've been breached. Not to fix it — just to notice it happened. Nearly seven months of someone sitting inside your network, reading your emails, copying your files, and mapping your systems before anyone raises an eyebrow.
By the time ransomware locks your screen or a customer calls asking why their data is on the dark web, the attacker has been inside for months. The explosion is just the last step. The fuse was lit a long time ago.
So how do you catch it earlier? You pay attention to the warning signs that most people explain away or ignore.
1. Employees Getting MFA Prompts They Didn't Request
This is the big one. And it's the one people dismiss the fastest.
Someone in your office gets a push notification on their phone asking them to approve a login. They didn't try to log in. They hit "deny" and go back to their sandwich. Maybe it happens again the next day. They ignore it.
That's an attacker with their password, trying to get past MFA.
Let me say that again — if someone is getting MFA prompts they didn't initiate, **someone else has their password.** Full stop. That's not a glitch. That's not the system being weird. That is an active attack in progress.
What to do: Change the password immediately. From a different device. Review the account's sign-in logs. Check if any MFA methods were added that the user doesn't recognize. And report it — don't just ignore it.
2. Emails Going Out That Nobody Sent
A client calls and says they got a weird email from someone on your team. The email has a link or an attachment. But the person it "came from" never sent it.
This means one of two things: either someone's email account has been compromised and the attacker is sending emails from inside your actual mailbox, or your domain is being spoofed (which means your email authentication — DMARC, DKIM, SPF — isn't set up properly).
Either way, it's bad. If it's a compromised account, the attacker can see every email, every attachment, every contact. They're usually looking for invoices, financial details, or anything they can use for a business email compromise scam — the kind where they send your CFO a convincing email saying "wire $47,000 to this new account."
What to do: Check the sent folder and deleted items. Review mail flow rules for any forwarding rules you didn't create (attackers love setting up hidden forwarding rules). Check sign-in activity. If an account is compromised, force a password reset and revoke all active sessions immediately.
3. Your Systems Are Slower Than Usual — And Nobody Knows Why
Computers take longer to boot. Applications lag. The network feels sluggish. IT runs some speed tests, shrugs, and says "it's probably Windows update."
Maybe. But it's also what it looks like when something is running in the background that shouldn't be. Malware, cryptominers, data exfiltration tools, or an attacker actively moving data off your network — all of these consume system resources and network bandwidth.
This isn't a "call IT when you get a chance" situation. If multiple people are noticing performance degradation at the same time, and there's no obvious explanation like a software update or a backup running, it's worth investigating.
What to do: Check running processes for anything unfamiliar. Review network traffic for unusual patterns — especially large outbound transfers during off-hours. Run a full endpoint scan with updated definitions. And don't just restart the computer and call it fixed.
4. Unexpected Password Reset Emails
Your accountant gets an email from Microsoft saying their password was changed. They didn't change it. Your office manager gets a notification that a new device was added to their account. They didn't add one.
These notifications exist for a reason. They're the system telling you that someone accessed the account and made changes. If the actual user didn't make those changes, someone else did.
Attackers who compromise an account will often change the password, add their own MFA device, or set up an app password — all to maintain access even after the original user notices something is wrong. By the time you reset the password, the attacker has already created a back door.
What to do: Reset the password AND review all authentication methods on the account. Remove any devices, phone numbers, or authenticator apps that the user doesn't recognize. Check for app passwords. Review the account's recent activity log for logins from unfamiliar locations or IP addresses.
5. Files, Folders, or Settings That Changed on Their Own
A shared folder that was accessible yesterday now requires a password. Files disappeared from a network drive. A firewall rule changed that nobody remembers changing. A new admin account appeared in Active Directory.
These are signs of someone actively working inside your environment. They're exploring, testing access, setting up persistence, or staging data for extraction. The changes might be subtle — a new scheduled task, a modified Group Policy, a service that wasn't there before.
The scariest version of this: you find files with names like `mimikatz.exe`, `psexec.exe`, or `lazagne.exe` on a server. Those are hacking tools. If they're on your systems and nobody on your team put them there, you are actively compromised. Stop what you're doing and call for help.
What to do: Document what changed, when, and on which system. Check audit logs for who made the change. Look for new user accounts, especially admin accounts. If you find hacking tools on any system, disconnect it from the network immediately and engage an incident response professional.
What To Do If Any of This Sounds Familiar
Don't panic. But don't ignore it either.
If you're seeing one of these signs, it might be nothing. If you're seeing multiple — especially unexpected MFA prompts combined with email issues or unexplained changes — you need to treat it seriously.
Here's the short version:
1. **Don't tip off the attacker.** Don't announce to the office that you think you've been hacked. Quietly investigate.
2. **Preserve evidence.** Don't wipe machines or delete logs. You'll need them.
3. **Isolate affected systems.** If you can identify a compromised machine or account, disconnect it from the network.
4. **Call a professional.** This isn't a DIY situation. An incident response specialist can determine the scope, contain the threat, and guide recovery.
5. **Notify your cyber insurance carrier.** Most policies have a notification window. Don't wait.
The worst thing you can do is nothing. The second worst thing is assume it's nothing and hope it goes away. It won't.
