Skip to content
Incident Response · Texas SMB

What to Do After a Business Email Compromise or Ransomware Attack

If you're reading this on your phone while your office figures out what just happened, skip the background. Go to the checklist that matches your situation. Come back for the rest later.

Two things before you scroll. First: the actions you take in the next few hours matter more than anything you do next week. Wire recalls have a short window. Evidence gets destroyed by well-meaning cleanup. Second: you will get through this. We've worked incidents where the business was sure it was finished, and it wasn't. Move fast, in the right order.

One caveat that protects you: this page is practical guidance from practitioners, not legal advice. Loop in your attorney and your cyber insurance carrier early. Both change what you should and shouldn't do next.

Business email compromise: the first hours

BEC is the quiet one. Someone got into a mailbox, watched your invoice traffic, and redirected a payment. If money already moved, the clock is running.

1. Call your bank's fraud department. Now, before anything else. Ask them to initiate a wire recall (or SWIFT recall for international transfers) and to contact the receiving bank to freeze the funds. Banks can sometimes claw back a fraudulent wire if the money hasn't been moved out of the receiving account. That window is measured in hours and days. Every hour you spend "investigating internally" first is an hour the attacker uses to launder the funds through the next account.

2. File an IC3 report at ic3.gov. The FBI's Internet Crime Complaint Center feeds a financial fraud kill chain that can freeze funds at intermediary banks, and it works best when the report lands fast. Fifteen minutes of form-filling. Do it the same day.

3. Preserve the mailbox. Don't clean it up. Your instinct will be to delete the phishing email, purge the rules, and reset everything. Resist half of that instinct. Export the mailbox first, or at minimum take screenshots and preserve message headers. The forwarding rules, login records, and sent items are your evidence for the bank, the insurer, and law enforcement.

4. Don't tip off the attacker. If the intruder still has access, they can watch you respond, delete evidence, or fire off a second round of fraudulent invoices to your customers while you're distracted. Coordinate the lockout so it happens all at once, not one password at a time over an afternoon.

5. Then lock them out, completely. Reset the compromised account's password, revoke all active sessions, revoke app passwords and OAuth grants, and check for attacker-created inbox rules. Forwarding rules that quietly copy mail to an outside address are the classic persistence trick. Check every mailbox, not just the obvious victim; attackers move sideways.

Ransomware: the first hours

1. Isolate. Do not wipe. Pull infected machines off the network: unplug the cable, kill the Wi-Fi, disable the switch port. Do not power them off if you can avoid it (memory holds evidence), and absolutely do not reimage anything yet. A wiped machine can't tell anyone how the attacker got in, which means you can't be sure they're gone.

2. Call your cyber insurance carrier and your attorney. Most cyber policies require notice before you spend money on response, and many carriers have panel firms on retainer. Calling them second instead of fifth can be the difference between covered and denied. Your attorney also establishes privilege over the investigation, which matters later.

3. Check your backups before you talk to anyone about paying. Are they intact? Are they offline or immutable, or did the attacker encrypt those too? Can you actually restore, and how fast? You can't evaluate any option, including the ransom demand, until you know what you can recover on your own.

4. Don't pay reflexively. Payment doesn't guarantee working decryption keys, it may be restricted if the group is sanctioned, and it marks you as a payer. Sometimes payment ends up on the table anyway. That's a decision to make with counsel and your insurer, with full knowledge of your backup position, not something to decide alone at 2 a.m.

5. Preserve the ransom note and a sample of encrypted files. Investigators use them to identify the strain, and identification sometimes surfaces a free public decryptor.

Who to notify

  • Your bank, immediately, for any incident involving payments or banking credentials.
  • Your cyber insurance carrier, before you incur response costs.
  • Your attorney, early enough to direct the investigation under privilege.
  • The FBI via ic3.gov, for both BEC and ransomware. CISA also publishes solid response resources and takes reports.
  • Possibly your customers. Texas has a breach notification law with deadlines and, above certain thresholds, a required report to the Texas Attorney General. Whether it applies depends on what data was exposed. This is exactly the question your attorney answers; don't guess in either direction.

The recovery phase

Once the bleeding stops, recovery runs in a deliberate order: confirm the attacker's access is fully cut off, identify how they got in, close that hole, then restore systems from known-good backups onto a network you trust. Restoring first and investigating later is how businesses get hit twice in a month by the same actor through the same door.

Expect this to take longer than you want. A rushed recovery that leaves the original entry point open isn't a recovery.

Preventing the second incident

The follow-up attack is common, because the first one proved you were reachable. The fixes are unglamorous and they work:

  • MFA everywhere, starting with email and anything that touches money. Most BEC dies here.
  • Managed detection and response, so the next intrusion attempt gets caught in minutes instead of discovered by your bookkeeper. That's what our SOC package does: monitoring, detection, and response, priced for small business on our packages page.
  • Tested backups. Backups you've never restored from are a hypothesis. Test them, keep a copy offline or immutable, and document the restore time.
  • A hard look at your payment controls. Any change to vendor banking details gets verified by phone at a number you already had on file. Policy, in writing, no exceptions for "urgent" requests.

If you want a structured starting point, our free security evaluation walks your environment and hands you a prioritized list.

When to call in help, and what we do

Call for help when money has moved, when you can't confirm the attacker is out, or when the response is eating the people who run your business. In-house IT at most SMBs is one or two people; incident response is not a fair thing to add to their day job mid-crisis.

Honest scope: Adaptive IP Services is not a national forensics retainer firm, and if your incident needs deep forensic litigation support, we'll say so and work alongside the specialists your insurer brings in. What we do, and do well for DFW small businesses: rapid assessment of what happened and what's still exposed, containment support to get the attacker out and keep them out, and hardening so the second incident doesn't happen. Founder David Boggs has spent 20+ years in enterprise IT, including senior network security architecture in the financial sector, where wire fraud response isn't theoretical. Firms in regulated or trust-dependent fields, law and accounting especially, can see how we support them at our law and accounting IT page.

FAQ

Should I pay the ransom?

Not as a reflex, and not alone. Payment guarantees nothing, may be legally restricted depending on the group, and paints a target on you. Check your backup position first, then decide with your attorney and insurer.

Can wire fraud money actually be recovered?

Sometimes, and speed decides it. If your bank initiates a recall and IC3 gets the report while funds are still sitting in the first receiving account, recovery is realistic. After the money moves through mule accounts or leaves the country, odds drop fast. Call the bank within hours, not days.

Do I have to report a breach in Texas?

Texas law requires notifying affected individuals when certain personal data is exposed, with deadlines, and requires reporting to the Texas Attorney General above certain thresholds. Whether your incident triggers it depends on the data involved. Confirm with counsel; the analysis is fact-specific.

Who do I call first: bank, insurer, or IT?

For BEC with money moved: bank first, always. For ransomware: isolate the machines, then insurer and counsel before you spend on response. IT works in parallel on containment either way.

Should we wipe the infected computers and move on?

No. Wiping destroys the evidence that tells you how the attacker got in. Isolate now, preserve, investigate, and reimage only after the entry point is identified and closed.

Can Adaptive help if we're mid-incident right now?

Call us at (888) 382-7685. We'll help you triage the first hours, support containment, and coordinate with your insurer's team if one is engaged.

Under attack, or worried you're next?

Call (888) 382-7685, request a free security evaluation, or contact us online. We're in DFW, and we pick up.