10 Signs Your Small Business May Have Been Hacked

Knowing the signs your small business may have been hacked could be the difference between a minor disruption and a business-ending catastrophe. Cybercriminals are no longer only targeting large corporations — they’ve shifted their focus to small businesses, which often have fewer defenses, less IT oversight, and more to lose from even a short period of downtime.

The numbers are sobering. A 2025 report documented over 3,000 cyber incidents involving small businesses, with 75% involving ransomware. Many of those businesses had no idea they’d been breached until the damage was already done. The average time between initial compromise and discovery is measured in weeks — sometimes months — giving attackers plenty of time to steal data, monitor communications, and establish persistent access.

Early detection changes everything. The sooner you recognize a breach, the faster you can contain it, minimize data loss, and protect your customers and reputation. This guide walks through 10 concrete warning signs that your business may have been compromised — and what to do the moment you spot them.

Why Small Businesses Are Prime Targets for Hackers

There’s a common misconception that hackers only go after big companies with large payouts. In reality, small businesses are attractive precisely because of their vulnerabilities. According to Accenture’s cybersecurity research, only 14% of small businesses are adequately prepared to defend themselves against cyber threats. That means 86 out of every 100 small businesses are operating with significant security gaps.

Several factors make small businesses particularly vulnerable:

• High employee turnover — departing employees may take data with them or leave behind unrevoked access credentials
• Remote and mobile workforces — employees connecting from home networks or personal devices expand the attack surface significantly
• Minimal IT support — many small businesses rely on a single generalist or no dedicated IT staff at all
• Inadequate security training — staff who can’t recognize a phishing email are a hacker’s easiest entry point

Attackers understand this gap between enterprise-level threats and small business defenses. They exploit it systematically, using automated tools to scan thousands of businesses simultaneously for known vulnerabilities. Understanding your own risk profile — your team size, your tech stack, your data exposure — is the foundation of any real cybersecurity strategy.

If you’re just getting started with security basics, our guide to small business cybersecurity fundamentals is a good place to begin.

1. Account and Access Anomalies

One of the earliest and clearest signs your small business may have been hacked shows up in your accounts. Account-based anomalies — strange login activity, locked-out employees, and unfamiliar admin accounts — are often the first visible trace of an attacker who has gained a foothold in your systems.

Watch for these specific red flags:

• Password reset emails or multi-factor authentication (MFA) prompts that nobody on your team initiated
• Login activity from unfamiliar geographic locations — a user account suddenly active in Eastern Europe when your team is based in Ohio is not a coincidence
• New admin accounts appearing in your systems that no one created — attackers routinely create hidden admin accounts to maintain access even after you change passwords
• Employees suddenly locked out of accounts they use every day, often because an attacker has changed their credentials

Review your sign-in logs regularly. Most cloud platforms — Microsoft 365, Google Workspace, your CRM — provide access logs that show login times, devices, and locations. If you’re not checking them at least weekly, you’re flying blind.

2. Network Performance and Traffic Irregularities

A sudden, unexplained slowdown across multiple computers at once is one of the most telling signs your small business may have been hacked. When a single machine slows down, it’s usually a hardware or software issue. When several machines slow down simultaneously, that’s a network-level problem — and attackers are a common cause.

According to Cisco’s 2024 Cybersecurity Readiness Index, 45% of small businesses experience unexplained bandwidth spikes linked to malware activity each year. Here’s what’s often behind those spikes:

• Cryptomining malware — attackers install software that uses your computers’ processing power to mine cryptocurrency, running your hardware hard and consuming resources around the clock
• Data exfiltration — large volumes of data being quietly transferred out of your network to attacker-controlled servers
• Lateral movement — an attacker who has compromised one machine is using it to probe and infect others on the same network

High CPU or memory usage on machines that are sitting idle is a particularly strong signal. If a workstation nobody is using is running at 90% CPU, something is running on it — and it may not be yours. Check your firewall logs for connections to unusual or unknown external domains. Connections to random IP addresses or obscure foreign domains that your business has no relationship with deserve immediate investigation.

3. Email Compromise and Communication Attacks

Business email compromise (BEC) is one of the most financially damaging attack types facing small businesses today. Attackers gain access to an email account — often through a stolen password — and use it silently for weeks, monitoring conversations, intercepting invoices, and waiting for the right moment to redirect a payment or launch a targeted attack on your clients.

The warning signs are often subtle at first:

• Bounce-back messages (“delivery failed” notifications) for emails you never sent — someone is sending messages through your account
• Contacts calling to ask about a strange or suspicious email that appeared to come from your address
• Replies arriving in your inbox for email threads you never started
• Unauthorized email forwarding rules quietly configured to send copies of your incoming emails to an external address — this is a classic attacker move to monitor your communications without triggering obvious alerts

Check your email settings right now. Look at your forwarding rules, your sent items folder, and your connected apps. Many business owners discover compromised email accounts only after a customer reports receiving a fake invoice — by which point, real damage has already been done.

For guidance on securing your business communications, see our resource on protecting your business email accounts.

4. Ransomware, Malware, and File System Changes

Ransomware is the most visible and immediately disruptive form of cyberattack. One morning, employees open their computers and find that files are locked — replaced with encrypted versions and accompanied by a ransom note demanding payment in cryptocurrency in exchange for the decryption key. There’s no subtlety here. The attack announces itself.

But the signs your small business may have been hacked with malware often appear before the ransomware detonates. Earlier indicators include:

• Unexpected software, browser extensions, or toolbars that appeared without anyone installing them — these are often remote access trojans (RATs) or spyware
• Security software — antivirus, firewalls, endpoint protection — that has been disabled or uninstalled without any staff member taking that action
• Missing, modified, or corrupted system files that were previously intact
• Deleted or altered system logs — attackers routinely erase their tracks by wiping logs that would reveal their activity

If you encounter ransomware, do not pay the ransom. The Cybersecurity and Infrastructure Security Agency (CISA) strongly advises against payment — it doesn’t guarantee data recovery and marks your business as a willing payer, making you a target for repeat attacks. Isolate infected machines immediately, contact law enforcement, and work with a cybersecurity professional to restore from clean backups.

5. Financial and Operational Red Flags

Not every sign of a hack shows up on a screen. Some of the most telling indicators show up in your bank account, your vendor relationships, and your competitive standing in the market.

Financial red flags to watch for include:

• Unauthorized wire transfers or ACH payments you didn’t authorize — attackers who have compromised your banking credentials or email can redirect payments with alarming ease
• Unexpected invoices for services your business never ordered, which may indicate that someone is using your accounts or vendor relationships
• Vendor complaints that your payment destination has changed — a classic BEC tactic involves intercepting invoice communications and substituting attacker-controlled bank account details

Operational red flags are less obvious but equally serious. If your manufacturing or service business suddenly starts losing contracts to competitors who seem to have uncanny insight into your pricing, your client relationships, or your proposals — that’s worth investigating. Similarly, unexplained increases in energy costs without any corresponding increase in production hours can signal that hardware is being used by malware running in the background, consuming power around the clock.

These business-level anomalies suggest that proprietary information has been stolen and is actively being used against you. The financial damage extends well beyond the breach itself.

How to Respond If You Think Your Business Has Been Hacked

Speed matters. The moment you notice signs your small business may have been hacked, every minute counts. Here’s what to do immediately:

1. Isolate affected systems. Disconnect compromised computers from the network — unplug ethernet cables and disable Wi-Fi. This stops the spread of malware to other machines and cuts off an attacker’s active access.
2. Enable MFA and reset passwords. Force password resets on all accounts, starting with admin and financial accounts. Enable or enforce multi-factor authentication everywhere it isn’t already active.
3. Contact law enforcement and a cybersecurity professional. Report the incident to the FBI’s Internet Crime Complaint Center (IC3) and engage a cybersecurity firm with breach response experience. Do not pay any ransom demands.
4. Restore from clean backups. Only restore systems using backups that were created before the breach and stored offline or in a separate, uncompromised environment. Before reconnecting anything to the network, conduct a thorough security audit to ensure the threat has been fully removed.
5. Audit user permissions and installed software. Remove any unrecognized admin accounts, revoke access for former employees, and uninstall any unauthorized software identified during the investigation.

Acting quickly and methodically — rather than panicking — gives you the best chance of containing the damage and resuming normal operations as fast as possible.

Common Mistakes Small Businesses Make After a Breach

How you respond to a breach matters almost as much as detecting it in the first place. These are the most damaging mistakes small businesses make in the aftermath of a cyberattack.

Paying the ransom. It’s understandable — your files are locked and your business is at a standstill. But paying funds criminal operations, doesn’t guarantee you’ll get your data back, and signals to attackers that you’re a cooperative target worth hitting again. Always exhaust backup restoration and professional decryption options first.

Failing to notify affected customers and partners. Many business owners hope they can quietly resolve a breach without disclosing it. Beyond the ethical problems with this approach, most states have mandatory breach notification laws. Failing to notify affected parties exposes you to significant legal liability on top of the reputational damage you’re already managing.

Reconnecting systems before completing a security audit. Bringing systems back online before you’ve fully removed the threat is how businesses get hit twice. Attackers frequently install backdoors designed to survive a basic wipe. A thorough audit — ideally conducted by a cybersecurity professional — must be completed before anything goes back on the network.

Ignoring the breach indicators entirely. Some business owners see the warning signs and assume the issue will resolve itself or that they were just experiencing a glitch. Breaches do not self-resolve. The longer an attacker maintains access, the more damage they cause. Treat every credible warning sign as a confirmed threat until you can prove otherwise.

Stay Vigilant — The Signs Are There If You Know What to Look For

Cybercriminals are patient, methodical, and increasingly sophisticated. But they also leave traces — and recognizing those traces early is one of the most powerful advantages a small business owner can have. The signs your small business may have been hacked rarely appear as a single, obvious alarm. More often, they’re a cluster of small anomalies that, taken together, tell a clear story.

Strange login activity. Sluggish machines. Bounce-back emails. An unexpected invoice. A vendor calling about changed payment details. Any one of these might have an innocent explanation. Several of them appearing at the same time almost certainly don’t.

Build the habit of checking your security indicators regularly. Review your logs. Audit your accounts. Train your team to report anything that seems off. And make sure you have clean, verified backups that live outside your primary network. These aren’t complex or expensive measures — but for most small businesses, they’re the difference between recovering from a breach in days and not recovering at all.

Your business is worth protecting. Start with what you can see, fix what you can reach, and get help for the rest.