Truth & Tech

Maybe someone just called you indicating that they received an email from you that seemed odd. Or, maybe your bank is indicating that you made a transaction that you know you didn’t make and your account’s balance is a little lower as a result. Or maybe your PC is indicating that your files are encrypted (another way of saying digitally locked) and cannot be accessed unless you pay a ransom fee. Whatever the situation is, you’re likely visiting this page because you believe you’ve been hacked. I want to show you what to do when you’ve been hacked because the statistics tell a story of small business and individuals being bigger targets than the bigger companies. According to the Verizon 2025 DBIR, small and medium-sized businesses are targeted nearly four times more than large organizations and 88% of breaches against Small and Medium Sized Businesses (SMB) involve ransomware, with a median ransom payment of $115,000.

With nearly a decade of experience in IT and Cybersecurity, this is probably the biggest concern I’ve seen every person and company wrestle with. “What do we do if we are hacked?” While each situation is going to be a little different, there are a number of general rules that are worth applying to every situation. I want to offer help to avoid making the problem worse and to try to reduce the amount of cybercrime out there.

For the purposes of this article, I am defining “hacked” any unauthorized access to, manipulation of, or misuse of a user’s systems, accounts, or data. And for “incident response” this is just the phrase used to describe how cybersecurity experts respond to malicious activity after it is discovered. And since it’s not uncommon for hackers (malicious people that use digital attacks) to be able to avoid detection for as long as 241 days (2025 Verizon DBIR) before they are detected, this could be significantly after the initial attack.

1. Breathe Deeply

The first and most important step is to make sure that when you are hacked, you breathe deeply. Hackers often use anxiety and a sense of panic to work against their victim. When an emergency happens, and you respond with a knee-jerk reaction, mistakes are made and problems become bigger problems. Critical thinking skills drop and the ability to think clearly is impacted when panicking. To avoid panicking, pause, and take a deep breath.

2. State the Facts

Panic is driven by thinking through the worst possible outcome of a situation and convincing yourself that this is what is going to happen. Instead of doing this, state the facts as they are. Think through what you know. “An email was sent out as if it were me and asked people to click on a link.” By laying out and focusing on each of the facts you’re opening yourself up to observation that needs to happen and reducing the out-of-control hypothesizing that can take place. This is also the place as a Christian where you need to remind yourself that God is sovereign, Christ has saved you, and that no matter what happens on earth, you have an eternal future that cannot be impacted by a hacker.

3. Observe and Ask Questions

This is where your inner Sherlock Holmes comes into play. If someone indicates they received a suspicious email from you, ask them to hover their mouse over:

1. the sender’s name to get the exact email address (letters and numbers can often be interchanged to make it look legitimate so look closely).
2. any links (but do not click on them) to see if the address of the link will appear in a small popup window so you can get a better idea of where the link will take you. Does the web address (URL) look like it would take you to the anticipated destination based on the email’s contents?
3. any additional attachments, pictures, or links in the email that would give you a clue.

If you get a popup indicating your files are locked and that you have to pay a ransom for the files to be unlocked, ask if it popped up after visiting a website? If so, did the popup appear in a browser window? Have any of your files on your desktop changed their icon unexpectedly? Does your PC run slower all of a sudden? Collect all the details you can figure out.

4. Determine What Kind and How Big

In each incident response knowing what kind of attack and how big of a problem it is determines how to handle the situation. If it’s one PC that has a pop up on it, it’s not a big deal. But if you have multiple PCs with the same message indicating the PC’s files are locked and require a payment to be unlocked that is a much bigger problem. In the cybersecurity realm, we are always evaluating risk (likelihood of an attack happening x impact of that attack). But once it’s happened, you have to determine the impact the hack has had.

Ask some of these questions: How did they get in? What did they access? How long were they in? Did they create any backdoors? Did they gain access to other devices, accounts, or the network itself? You can also have someone with some technical proficiency help you to review logs and configurations to see if there are additional artifacts that help you to understand the scope or how they got in.

Here are some types of attacks and a brief explanation of each one grouped by how big of an impact it can have:

Severe Impact

To be clear, it is not advisable to handle the below on your own and you will likely need to contact someone to help you work through these.

Ransomware – when the malicious actor encrypts (locks) your files on your device (PC, server, mobile device) and demands a ransom in exchange for the key to unlock (unencrypt) the files.

Network/Endpoint Intrusion – Someone from outside of your home network (hacker; malicious party) has gained access by breaking through the normal defenses. It may mean that a hacker gains access to your home network and once inside they plant a file on your endpoint that has been programmed to perform specific tasks/actions, traverse your network, or simply watch and wait.

Data theft – The name is pretty self-explanatory. To steal the data the malicious party would have had to have gained access to the data using a network/endpoint intrusion attack of some sort.

Moderate to Severe Impact

These issues can at times be resolved on your own depending on how severe the impact is.

Malware (includes virus, spyware, trojans, adware, etc.) – a malicious file on your PC that creates unwanted effects on the PC.

Account Compromise – This can be an email account, social media account, or a portal you use to conduct business (such as order products/groceries, or a bank account).

Man-in-the-middle – Sometimes, a malicious party doesn’t even have to be on your network or your endpoint (whatever device you are using). They can just intercept the traffic from your endpoint to the servers that it is reaching out to. This type of attack can happen if they have gained access to your home network or if they are on a router or DNS server that you are using to communicate with to access websites or software,

Low Technical Impact

These are the issues that wouldn’t likely benefit from hiring someone technical to help you with resolving these issues unless it’s combined with one of the above attacks. There are a lot of other low technical impact attacks that I won’t give here as this is not meant to be an exhaustive list.

Spoofing – Usually an email sent from an email account designed to look like yours to trick people into giving up information. This is different from an account compromise as it’s only an email account that looks like yours, not actually your account. I’ve seen spoofing emails that are clearly not from the account that look exactly like it came from the account.

Phishing (or Spear Phishing) – An email designed to look like an email from a vendor or acquaintance or that has an attachment that you would want to open. If the email was designed specifically for you, it’s called spear phishing. If it’s a malicious email that looks like a social media notification email or a merchant offering a deal, it is just considered a phishing email as it’s a generalized email that can be adapted to a large number of other users.

Social Engineering (i.e. romance scheme) – this is primarily a hack of the individual by using what is simply called social-engineering in the cybersecurity world. This kind of attack focuses on creating a false premise in which to engage someone else to convince them to provide access to desirable resources. This kind of attack can have a significant financial, emotional, and social impact on the individual but the technical impact is low usually.

5. Respond

Contain the incident. You want to stop the hacker from doing any additional damage by removing the original means of access for the hacker so they cannot continue to cause problems. Isolating the device or account, revoking sessions (when you use a system you have to log into, it’s considered a session), and blocking the entry points are all things that can be done.

Shut down the incident. Once you have figured out the scope of the attack (what all was impacted and how they got in) remove any malware from the endpoint, changing passwords and re-enrolling MFA (Multifactor Authentication), using account tools to “end all sessions” and “resetting MFA tokens”. If no MFA was setup originally, time to set it up. Look for any permissions or rules that the hacker may have added to the account or device that would give them access in the future.

Recover anything lost. It is not uncommon to have backups of important files or entire devices to make sure that the setup can be recovered if something bad happens to it. Recovering is an important step if you are hit with ransomware or malware or data theft. But knowing that you have a good backup and not one that’s potentially compromised is important. Hackers can often be in a system for months before they give off any indication that they are in your system. So, remember that if you restore from a backup that you made when the hacker was in your system, it may contain malware or the same misconfigurations that would allow the hacker to regain control.

Validate and strengthen the security over the course of the next 1-3 months. Watch for any indicators that were a part of the original discovery of the original attack. Review logs and configurations on systems that had been impacted to see if there is any indication. Look for ways to enhance the security of the impacted systems. Make sure everything is up-to-date (software, firmware, and hardware). Add MFA (or change to a more secure form of MFA as not all MFA options are as secure as the others) if not already setup. Verify that the accounts or systems are as secure as they can be and if you’re not sure, ask for help or Google the question (or use AI with a healthy amount of skepticism and inquiry).

Prevention: The Best Incident Response Is Never Needing It

My final suggestion would be to act rather than react. Proactive measures are more effective than reactive measures and may even prevent you from having to use the reactive measures. Below are four suggestions that although already mentioned are worth taking ahead of time.

1. Setup MFA (Multifactor Authentication). This usually involves having to enter in a code from somewhere in addition to a password to make sure you can gain access to the system or account. It can also include physical keys or digital keys. Just remember that not every form of MFA is equal. SMS (text messaging) is a weaker version but a more common and popular form. The stronger forms are hardware tokens and One Time Use Passwords (codes from authenticator apps).
2. Setup Unique Passwords for Every Account – It is not uncommon for users to cycle through 4-7 passwords for every account they have. And with the number of digital accounts that we have to keep track of, the odds keep increasing that those 4-7 passwords will be able to unlock multiple accounts. A unique password on each account means that if your password gets stolen and/or sold, it only unlocks the one account, not multiple vendors. Right now, I use a base of at least 16 characters for a password that should include capitals, lower case, special characters, and numbers.
3. Regular backups – Make sure you regularly make copies of important data and information using the 3-2-1 rule. 3 backups in 2 different media forms with 1 backup somewhere off-site from where the system is. But make sure these backups are tested. If the data is corrupted during the backup or the format is incorrect or any number of other issues occur, the backups are useless.
4. Patching and Updates – Making sure that all systems are updated and patched helps prevent known vulnerabilities from being an attack avenue. When a vulnerability is discovered, responsible companies will release patches and updates to make sure that the vulnerability is mitigated. But it still means you have to make sure it is backed up and verified. I regularly tell my team-members to make sure their systems are up-to-date.

If you’re not sure what to do after reading through all this, don’t hesitate to call someone more tech-savvy or a professional to help. Time is of the essence when dealing with an attack, so don’t drag this out. Clues on who and how an attack happened get overwritten within hours after the event as the computer updates the logs. If this helped, share it with someone who needs it. And if you want more practical security guidance, subscribe!