Think your business has been hacked? Start here.
A compromised email account, ransomware, a fraudulent wire transfer, a data breach — when your business is hit, the first hour matters most. Here’s exactly what to do to contain the damage, and how HTCS can step in fast.
If an attack is happening right now
Do these first — before anything else
-
Disconnect affected devices from the network — unplug the network cable or turn off Wi-Fi to stop the spread. Do not power the machine off; that can destroy evidence. -
Call your bank and payment processor if money or banking access is involved. Ask them to watch for, freeze, or recall fraudulent transfers immediately. -
Stop all outgoing payments and verify any recent change to vendor or payroll bank details by phone — never by email. -
Preserve everything — don’t delete emails, files, or logs. They’re needed for the investigation and your insurance claim. -
Get expert help on the line — call HTCS at (619) 997-6571 and we’ll help you contain it.
A business breach is not just an inconvenience. It can expose customer and employee data, drain accounts through fraudulent transfers, halt operations for days, and trigger legal reporting obligations you didn’t know you had.
The goal in the first hours is simple: contain the attacker’s access, protect your money and data, and preserve what investigators and your insurer will need. The steps below walk you through it in order — in plain English, the same way we’d talk you through it on the phone.
Know what you’re dealing with
How businesses usually get breached
Most business incidents fall into one of a few patterns. Recognizing which one you’re facing helps you respond faster.
Business Email Compromise (BEC)
An attacker gets into a mailbox — usually through a phishing link — then quietly reads mail, sets up hidden forwarding rules, and sends fake invoices or wire requests from a trusted address.
Ransomware
Malware locks your files and servers and demands payment. It often spreads from a single infected machine across the entire network within minutes.
Stolen or reused credentials
A password leaked in someone else’s breach lets attackers log straight into email, VPN, or admin accounts — no hacking required.
Data breach
Customer or employee records are copied or exposed, which can trigger legal notification duties and erode the trust your clients place in you.
What to do, in order
Your business breach response, step by step
Work through these in sequence. If you’re not sure where you stand, start at step one and call us — we can do most of this remotely with you.
Contain it
Isolate affected accounts and devices. Disconnect compromised machines from the network but leave them powered on. Reset passwords on critical accounts and sign out all active sessions to force the attacker back out.
Lock down email & admin accounts
Reset passwords and turn on multi-factor authentication for email, Microsoft 365 or Google Workspace, banking, and any administrator logins. Check the mailbox for hidden auto-forwarding or auto-delete rules — a classic sign of email compromise.
Protect the money
Call your bank and payment processor right away. Ask them to flag or reverse fraudulent transfers, freeze pending payments, and verify any recent change to vendor or payroll banking details — confirmed by phone, never by email.
Preserve evidence & assess scope
Don’t wipe or “clean up” machines yet. Keep logs, emails, and affected files intact so you and your insurer can determine what was accessed and how. That record is essential for the investigation and any claim.
Meet your reporting duties
Notify your cyber-insurance carrier first — many policies require prompt notice and approved vendors. Report internet crime to the FBI Internet Crime Complaint Center (IC3). If customer or employee personal data was exposed, you may be legally required to notify affected people and regulators — check with your attorney, since rules vary by state and industry.
Notify the people who need to know
Warn staff, customers, and vendors who may be targeted with follow-on phishing or fake invoices sent in your name. Prompt, honest communication protects your relationships and shuts down further fraud.
Harden & prevent a repeat
Once you’re contained, rotate every credential, patch and update systems, deploy proper endpoint protection and monitored backups, and train your team to spot the next attempt. Our guides on business password managers and spotting phishing are a good place to start.
Mistakes that make a breach worse
Under pressure, well-meaning reactions often cause the most damage. Avoid these.
Don’t pay a ransom on your own. Contact your insurer and a professional first — payment is risky, sometimes legally restricted, and never guarantees you’ll get your data back.
Don’t wipe or rebuild machines immediately. You’ll destroy the evidence needed to understand the breach and satisfy your insurance claim.
Don’t approve payment or banking changes over email. Confirm every change by phone using a known number — this is exactly how wire fraud succeeds.
Don’t keep it quiet and hope it passes. Delays increase the damage and can blow past legal notification deadlines. Acting openly protects your business.
Don’t assume one password reset fixes it. Attackers leave behind forwarding rules, extra logins, and access tokens — a full sweep is the only way to be sure they’re out.
Hit by an attack? Let’s contain it — now.
High Tech Computer Solutions provides patient, plain-English technology support to help your business contain the breach, secure accounts, review systems, remove malicious software, and protect your data and your customers. One accountable expert, on call when it matters most.
No obligation. If I’m not the right fit, I’ll say so and point you in a better direction.