The scary truth about modern cyberattacks? Most small businesses don't find out they've been hacked until it's far too late — often months after the initial breach. Attackers are patient. They get in quietly, establish a foothold, and exfiltrate data slowly so nothing looks out of the ordinary.
According to IBM's Cost of a Data Breach report, the average time to identify a breach is 204 days. That's six months of an attacker sitting inside your network while you're completely unaware.
Here are the five warning signs we see most often when auditing new clients who've been compromised — and didn't know it.
1. Unusual Account Activity at Odd Hours
If your email or software systems are logging logins at 3am from cities you've never visited, that's a major red flag. Modern credential attacks use stolen usernames and passwords (often from unrelated data breaches on other websites) to access business accounts.
What to check: Most Microsoft 365 and Google Workspace accounts have a login history panel. Review it. Look for logins from unfamiliar locations, especially outside business hours. If you see activity from Eastern Europe, Southeast Asia, or anywhere outside Ontario that doesn't match a travelling employee — treat it as a breach until proven otherwise.
We once audited a Mississauga dental office and found an attacker had been reading their email for 11 weeks. Their Microsoft 365 login log showed daily logins from Romania at 2am. Nobody had ever checked.
2. Unexplained Slowdowns or High CPU/Network Usage
Malware — particularly cryptominers and data exfiltration tools — runs constantly in the background, consuming your computer's CPU and internet bandwidth. If your machines have been noticeably slower without any software changes, or your internet feels sluggish, it may not be your ISP.
What to check: Open Task Manager (Windows) or Activity Monitor (Mac) and look for processes consuming high CPU with names you don't recognize. Also check your router's traffic logs for unusual outbound data volumes — a machine sending gigabytes of data overnight is a serious sign.
3. Your Antivirus Has Been Disabled or Is Complaining
Sophisticated malware specifically targets security tools first. Before doing anything else, ransomware and spyware attempt to silence whatever could detect them. If your antivirus has been disabled, is reporting errors, or hasn't updated its definitions in weeks — that's often not a coincidence.
What to check: Open your antivirus dashboard and verify it's active, up to date, and showing a recent scan. Then check Windows Security Center — it will warn you if any protection layer is off. Make this a weekly 30-second habit for your team.
4. Clients or Contacts Receiving Emails You Didn't Send
When attackers gain access to an email account, they often use it to send phishing emails to your contact list — impersonating you to attack your clients. If a client calls to ask about a strange email from your address, or you start receiving bounce-back messages for emails you never sent, your email is almost certainly compromised.
What to check: Review your "Sent" folder carefully. Attackers often delete sent emails immediately, so also check your email's "All Mail" or server-side sent items. Enable multi-factor authentication on all email accounts immediately — this is the single most effective protection against email account hijacking.
5. New User Accounts You Didn't Create
One of the most common persistence techniques attackers use is creating hidden admin accounts. This gives them a backdoor to re-enter your systems even if you change all your passwords. These accounts are often named to blend in — think "IT Support", "Admin2", or even a name that looks like a real employee's.
What to check: In Windows, go to Settings → Accounts → Other Users. In your server or Microsoft 365 admin panel, review the full user list. Any account you don't recognize should be disabled and investigated immediately.
What to Do If You Suspect a Breach
Don't panic — but act fast. The steps are:
- Isolate affected machines — disconnect from the network but don't turn them off (logs are valuable)
- Change all passwords immediately from a clean, unaffected device
- Enable MFA on every account that supports it
- Contact your IT provider for a forensic review — don't try to clean malware yourself
- Notify affected parties if client data may have been exposed (PIPEDA requires this)
At Starcomm, we offer emergency incident response for Toronto and Mississauga businesses. If something feels wrong, call us before you do anything else. Fast action is the difference between a recoverable incident and a catastrophic one.