Back to blog
    Hacked

    Am I Hacked? 10 Warning Signs and What to Do Next

    Sectricity Security TeamMay 7, 2026

    Think you might be hacked? Learn the 10 most reliable warning signs of compromise, the first 5 actions to take in order, and when to call professional incident response support.

    incident responseaccount compromisebusiness email compromiseNIS2GDPRphishingsecurity awarenesspenetration testing

    Am I Hacked? 10 Warning Signs and What to Do Next

    TL;DR

    • Unexpected logins, password failures, MFA prompts you didn't trigger, and unknown email forwarding rules are the most reliable signs of a compromised account.
    • The first action is always the same: disconnect the affected device from the network, but do not power it off.
    • Change passwords from a different, clean device. Never from the device you suspect is compromised.
    • For business accounts, NIS2 obliges essential and important entities to report significant incidents within 24 hours of becoming aware of them.
    • If multiple accounts or systems are affected, treat it as an incident, not an inconvenience. Professional response in the first hour shapes the outcome.

    Introduction

    The question "am I hacked?" usually arrives at a bad moment. A strange login alert, a friend asking why you sent them a weird link, a credit card transaction you do not recognise. Panic is the worst response, because panic leads to fast, irreversible mistakes: wiping evidence, resetting passwords from a compromised device, paying a ransom before validating the threat.

    This guide gives you ten concrete signs that you have been hacked, the first five actions to take in the right order, and a clear marker for when to call professional help. It applies to individuals and to organisations. If you suspect a business compromise involving email, payments, or customer data, read this alongside our guide on how to prevent Business Email Compromise and our Incident Response Plan for the first 72 hours.

    10 warning signs that you have been hacked

    1. Unexpected login alerts or "new device added" notifications

    Microsoft 365, Google, Apple, banks, and most modern SaaS platforms send a notification when a new device or session is registered. If you receive one from a location, browser, or device you do not recognise, treat it as a live signal. Do not click the link inside the email. Open the service directly in your browser and check the active sessions list.

    2. Passwords that suddenly stop working

    If you are locked out of an account you used yesterday, and the "reset password" link gets sent to an email address you no longer control, an attacker has likely changed your recovery options. This is one of the clearest signals of an account takeover.

    3. Contacts receiving strange messages from you

    A friend, colleague, or client asking why you sent them a Bitcoin link, a gift card request, or an invoice they were not expecting is a strong signal. It usually means your email or messaging account is being used to phish your network.

    4. Bank or card transactions you do not recognise

    Small, unfamiliar transactions are often a test before a larger transfer. Most banks let you freeze the card from their app in under a minute. Do that first, then contact the bank directly through their published number, never through a number provided in a suspicious message.

    5. Slower system, unknown processes, browser redirects

    A device that suddenly runs hot, drains its battery, redirects searches to unfamiliar sites, or shows browser extensions you did not install can indicate malware. On Windows, check Task Manager and services.msc. On macOS, check Activity Monitor and ~/Library/LaunchAgents.

    6. Antivirus or EDR disabled without your action

    If your endpoint protection is turned off, missing definitions, or showing tampered status, assume a process with administrative rights did this. Legitimate updates rarely require disabling protection.

    7. Email forwarding rules you did not create

    This is the single most common indicator of Business Email Compromise. Attackers create silent forwarding rules so that responses to phishing emails or financial conversations never reach the legitimate inbox. In Microsoft 365, check Outlook Web rules and the "Forward to" setting in mailbox properties. In Google Workspace, check Settings, Forwarding and POP/IMAP, and Filters.

    8. MFA codes you did not request

    If a multi-factor authentication code arrives on your phone without you trying to log in, someone has your password and is attempting to bypass MFA. Push-bombing attacks repeatedly send approval requests in the hope you tap accept by accident. Deny everything, then change the password immediately.

    9. Unknown devices in your account overview

    Microsoft 365 (My Account, Devices), Google (Your Devices), Apple ID, and LinkedIn all show registered devices. An iPad in Romania that you do not own is not a glitch.

    10. A "your data has been leaked" email, real or fake?

    Many of these are scams designed to scare you into paying. Validate by checking your email on Have I Been Pwned and by reviewing whether the email matches a breach you actually heard about. Real leak notifications from companies like Microsoft, Google, or your bank typically arrive through your account dashboard, not unsolicited email.

    The first 5 actions to take, in order

    1. Disconnect, do not power off

    Disconnect the affected device from Wi-Fi and ethernet. Powering off destroys volatile evidence in RAM that an incident response team needs. Disconnecting stops the bleeding without erasing the forensic trail.

    2. Change passwords from a clean device

    Use a phone or another computer that has not been involved in the suspected breach. Start with email accounts, because email is the root of password recovery for almost everything else. Then move to financial accounts, then identity providers, then everything else.

    3. Force MFA on critical accounts

    If MFA was not yet enabled, enable it now on email, banking, identity providers, and admin accounts. Use an authenticator app or a hardware key rather than SMS where possible.

    4. Check forwarding rules, OAuth tokens, and app permissions

    In Microsoft 365 and Google Workspace, remove unknown forwarding rules, revoke OAuth tokens for third-party apps you do not recognise, and remove app passwords that are no longer needed. This step is often skipped, and is the reason attackers regain access after a password reset.

    5. Document everything

    Screenshots of suspicious activity, timestamps, IP addresses, transaction IDs, the exact text of strange emails. If you later involve law enforcement, insurance, or an incident response team, this evidence shortens the investigation considerably.

    When is this an incident, and who do you call?

    For individuals, the boundary is simple: if money has moved, if identity documents are exposed, or if you cannot regain control of your primary email, contact your bank and file a police report. For accounts, contact the provider through their official support channel.

    For organisations, the boundary is different. Under the NIS2 Directive, essential and important entities in the EU must submit an early warning of a significant incident within 24 hours, followed by an incident notification within 72 hours. Even if you fall outside NIS2, customer data breaches typically trigger GDPR notification obligations.

    Practically: if more than one account is affected, if customer or financial data may be exposed, or if you have evidence of persistence (the attacker keeps coming back after each cleanup), treat it as an incident. Read our Incident Response Plan: what to do in the first 72 hours and engage professional help. The first hour shapes the cost and the legal exposure of the entire response.

    How do you stop this from happening again?

    Most successful attacks follow a predictable pattern: a phished credential, a missing MFA, an exposed external service, a user who clicked. The defences are equally predictable, but they only work if they are tested rather than assumed.

    A regular penetration test shows where attackers can actually get in, validated by hand rather than by a scanner. Combine it with security awareness training that uses realistic phishing and smishing simulations, so your team recognises the techniques described in this article before they cost you money. Awareness alone is not enough, and pentesting alone is not enough. The two together close the gap.

    Frequently Asked Questions

    How do I know if my email has been hacked?

    The clearest signals are unexpected login alerts from unfamiliar locations, contacts receiving messages you did not send, email forwarding rules you did not create, and password reset links arriving for accounts you did not request. Check your account's sign-in history and active sessions through the official provider interface, never through a link in a suspicious email.

    Should I turn off my computer if I think I have been hacked?

    No. Disconnect the device from the network, but leave it powered on. Powering off destroys evidence in volatile memory that incident responders need to understand the attack. Disconnecting prevents further damage without erasing the forensic trail.

    Can I just change my password and be safe again?

    Not always. Attackers often create persistence: email forwarding rules, OAuth tokens for third-party apps, recovery email changes, app-specific passwords. After a password change, review all of these. Otherwise, the attacker regains access through a backdoor you did not close.

    What is the first hour worth in an incident?

    A lot. The first hour determines whether the attacker still has access, whether evidence is preserved, whether the breach can be contained to one account or spreads laterally, and whether legal notification deadlines can be met. Rushed actions in the first hour also cause the most expensive mistakes, which is why a written incident response plan and a clear escalation path matter.

    When do I need to involve professional incident response?

    When more than one account or system is affected, when customer or financial data may be exposed, when the attacker appears to regain access after each cleanup, or when you fall under NIS2 or GDPR notification obligations. Individual account compromises with no data exposure can usually be handled in-house if you act quickly.

    Can a pentest prevent a future hack?

    A pentest does not prevent every future incident, but it identifies the specific paths an attacker would use against your organisation today, validated by hand. Combined with security awareness training, it removes the most likely entry points before they are exploited. The goal is to make a successful attack harder, slower, and more visible.

    Related services and resources

    If you are dealing with a suspected breach right now, start with our Incident Response Plan: what to do in the first 72 hours and our guide on how to prevent Business Email Compromise. If you want to understand the attacker's perspective, read what a hacker actually does, from OSINT to pentesting. To reduce the chance of being in this situation again, our penetration testing service tests your external attack surface by hand, and our security awareness training prepares your team for the phishing, smishing, and BEC techniques described above.