Under Attack Now? Help!

Cyber incidents are scary, but most small-business situations follow predictable patterns — and predictable patterns have playbooks. This page breaks down the most common attacks in plain English, with practical first steps and an honest note on when to bring in a professional. Skim to your situation, or start with the universal first five minutes.

First 5 Minutes — For Any Incident

• Don’t panic, don’t hide it. Speed and honesty beat perfection. The faster you act and tell the right people, the smaller the damage.
• Contain, don’t destroy. Disconnect affected devices from the network (unplug Ethernet, turn off Wi-Fi) but leave them powered on — you may need the evidence.
• Write down what you see. Time, what happened, error messages, screenshots. Your insurer, bank, and responders will all need it.
• Call for backup. Your IT/security professional, and your cyber-insurance carrier (many require early notice and provide a response team).
• Protect the money. If anything financial is involved, contact your bank’s fraud line right away.

Account Takeover (ATO) & Business Email Compromise (BEC)

What it looks like: Someone is logged into an email, Microsoft 365, or banking account that is not them. Tell-tale signs: inbox rules that secretly forward or delete mail, sent messages you did not write, surprise password-reset emails, or a vendor saying they got a weird payment request “from you.”

First 15 minutes — do this now:

• Change the account password from a different, trusted device — and turn on MFA if it is not already on.
• Sign out all active sessions (most services have a “log out everywhere” button).
• Check for and delete malicious mailbox/forwarding rules and any added recovery email or phone.
• Warn your team and any vendors/clients not to act on recent requests from that account until cleared.

Then:

• Review sent items, login history, and connected apps for anything unfamiliar.
• Reset passwords on any account that shared that password.
• If money or payroll was touched, jump to the Wire Fraud & Financial Theft section below.

Please do NOT:

• Do not just change the password and move on — attackers leave hidden forwarding rules and app passwords behind.
• Do not delete the evidence (logs, emails) you may need for your insurer or the bank.

Phishing & Social Engineering

What it looks like: You (or a coworker) clicked a link, entered a password on a fake login page, opened a sketchy attachment, or got a too-urgent call/text pretending to be your bank, the boss, or a vendor. Social engineering is just manipulation — pressure, urgency, and authority used to make you skip your normal caution.

First 15 minutes — do this now:

• If you entered a password anywhere, change it now (and anywhere you reused it) from a clean device, and enable MFA.
• Disconnect the device from the internet/Wi-Fi if you opened an attachment or installed something.
• Tell your IT contact and your team — one click often means the same lure hit other inboxes.

Then:

• Run a full malware scan on the affected device before reconnecting.
• Report the message (most email platforms have a “report phishing” button) and block the sender.
• Verify any money or data request through a known phone number — never the contact info in the suspicious message.

Please do NOT:

• Do not reply to the message or call the number it provides.
• Do not be embarrassed into silence — speed of reporting beats perfection every time.

Ransomware

What it looks like: Files are suddenly encrypted or renamed, you cannot open documents, and there is a ransom note (a pop-up or text file) demanding payment in cryptocurrency. Systems may be slow or locking up across multiple computers.

First 15 minutes — do this now:

• Isolate, do not power off: unplug the network cable and turn off Wi-Fi on affected machines to stop it spreading, but leave them on to preserve evidence and memory.
• Disconnect shared drives, backups, and USB devices so the infection cannot reach them.
• Alert everyone to stop using the network and report anything unusual.
• Call your cyber-insurance carrier and a professional before taking further action — many policies require it and provide a response team.

Then:

• Identify which systems and backups are clean.
• Preserve the ransom note and a sample encrypted file (your responders will need them).
• Plan recovery from known-good, offline backups — do not rush a restore onto a still-infected network.

Please do NOT:

• Do not pay the ransom or contact the attackers on your own — involve professionals, legal counsel, and your insurer first.
• Do not wipe or rebuild machines until evidence is preserved.
• Do not assume one clean backup is enough — verify it is truly uninfected before restoring.

Wire Fraud & Financial Theft

What it looks like: Money left an account it should not have: a fraudulent wire or ACH, a changed vendor “bank update,” payroll redirected, or a fake invoice paid. Often this is the payday at the end of a BEC or phishing attack.

First 15 minutes — do this now:

• Call your bank’s fraud line immediately and request a recall/reversal — the first 24–72 hours are critical.
• Report it to the FBI’s IC3 at ic3.gov (their recovery team can sometimes freeze transfers).
• Secure the email/accounts involved (see Account Takeover above) so it cannot happen again mid-cleanup.
• Notify your leadership and, if relevant, the real vendor through a known phone number.

Then:

• Document everything: amounts, dates, account numbers, and the messages that led to the transfer.
• Loop in your cyber-insurance carrier — funds-transfer fraud is often covered, but notice deadlines are strict.
• Add verbal call-back verification for any future banking changes.

Please do NOT:

• Do not wait to “see if it reverses” — speed is everything with wire recalls.
• Do not communicate further through the compromised email account.

DDoS & Website/Network Flooding

What it looks like: Your website, email, or internet connection suddenly grinds to a halt or goes fully offline — not from a code bug, but from a flood of junk traffic designed to overwhelm it. Customers cannot reach you and things feel “stuck.”

First 15 minutes — do this now:

• Contact your hosting provider, ISP, or CDN (e.g., Cloudflare) — they have the tools to absorb or filter the flood.
• Turn on any “under attack” / DDoS-protection mode your provider offers.
• Confirm it is actually an attack and not an outage or a viral traffic spike.

Then:

• Capture timestamps and any provider alerts for your records and insurer.
• Once stable, put a CDN/DDoS protection service in front of your site so the next one is a non-event.
• Watch closely — a DDoS is sometimes a smokescreen for another attack.

Please do NOT:

• Do not pay any “stop the attack” ransom demand.
• Do not make rushed DNS or firewall changes that could lock you out or break recovery.

Data Breach / Stolen Data

What it looks like: Customer, employee, patient, or financial data may have been accessed or copied — whether through a hacked account, lost device, or exposed system. You may have found data for sale, gotten an extortion note, or spotted unexplained large downloads.

First 15 minutes — do this now:

• Contain it: lock the affected accounts/systems and revoke access (see Account Takeover).
• Preserve logs and evidence — do not delete or “clean up” yet.
• Engage legal counsel and your cyber-insurance carrier early — breach notification has legal deadlines under California law (and others).

Then:

• Work with professionals to determine what data, and whose, was actually affected.
• Follow counsel’s guidance on required notifications to individuals and regulators.
• Reset credentials and close the gap that allowed access.

Please do NOT:

• Do not notify customers or make public statements before legal counsel advises — wording and timing carry legal weight.
• Do not assume “it was probably nothing” — document and verify.

Malware / Virus Infection

What it looks like: A device is behaving strangely: pop-ups, sudden slowness, programs you did not install, the camera or browser acting on its own, or your antivirus throwing alerts.

First 15 minutes — do this now:

• Disconnect the device from the network and the internet.
• Do not log into banking or other sensitive accounts from that device.
• Run a full scan with reputable, updated security software.

Then:

• From a different clean device, change passwords for anything accessed on the infected machine.
• If it cannot be fully cleaned with confidence, have it professionally wiped and rebuilt.
• Check other devices on the same network for spread.

Please do NOT:

• Do not “just restart and hope.”
• Do not enter passwords on a machine you suspect is infected.

Lost or Stolen Device

What it looks like: A laptop, phone, or tablet with access to email, files, or saved passwords has gone missing.

First 15 minutes — do this now:

• Use remote-lock / remote-wipe (Find My, Microsoft/Google device management) right away.
• Change the passwords for accounts that device was signed into, and sign out all sessions.
• Report the theft to the police if appropriate — you may need the report for insurance.

Then:

• Confirm the device was encrypted (so the data is unreadable) — and make sure future devices are.
• Review what accounts and data lived on it and monitor them.

Please do NOT:

• Do not delay the remote wipe hoping it “turns up.”
• Do not forget saved browser passwords — those count as exposed.

Insider Threat (Departing or Disgruntled Staff)

What it looks like: A current or former team member may be taking data, deleting files, or still has access they should not — sometimes innocently, sometimes not.

First 15 minutes — do this now:

• Disable their accounts and access immediately on departure (or suspicion), including email, cloud apps, VPN, and shared logins.
• Change any shared passwords they knew.
• Preserve logs and files — do not delete the departed user’s account until data is secured and exported.

Then:

• Review recent access, downloads, and forwarding rules.
• Tighten least-privilege access so fewer people hold sensitive keys.
• Involve HR and legal counsel where conduct is in question.

Please do NOT:

• Do not leave “temporary” shared accounts active after someone leaves.
• Do not handle a suspected malicious insider without HR and legal guidance.

Website Hacked or Defaced

What it looks like: Your website shows content you did not put there, redirects visitors elsewhere, throws security warnings, or Google flags it as “deceptive.”

First 15 minutes — do this now:

• Contact your hosting provider — they can often snapshot, isolate, or roll back quickly.
• Change your hosting, CMS (e.g., WordPress), FTP, and database passwords.
• Take the site to a maintenance page if it is serving malware to visitors.

Then:

• Restore from a known-clean backup, then update every plugin, theme, and core platform.
• Scan for leftover backdoors before going live again — attackers love to leave a spare key.
• Request a review from Google Search Console if you were flagged.

Please do NOT:

• Do not just delete the visible defacement — the way in is usually still open.
• Do not reuse the same passwords after cleanup.

You Don’t Have to Do This Alone

This playbook hands you an abundance of free, practical guidance — on purpose. But reading about an incident and managing one under pressure are very different things. Techtrix helps small businesses contain, recover from, and (better yet) prevent these situations, with straight talk and zero judgment.

Reminder: none of the above is recommended without a strong technical background and appropriate legal counsel. It is provided as free education, at your own risk, and professional guidance is advised. Always involve your insurer and legal counsel on a live incident.