What to do when you suspect your account or device is compromised?

You may have encountered many articles describing the precautions to take in order to ensure your machines are safe and your credentials are not compromised to cyber attacks but what if your device or machine is already compromised? How do you detect that?

What signs should you be looking out for, in a machine / device that's been compromised? What's the experience like, when there's a threat?

Here are a list of common signs of compromise (it can either be your machine or someone else's).

  1. Abnormal behavior - You notice abnormal behavior of your laptop or mobile device such as:
    1. Machine rebooting suddenly
    2. Machine logs you off unexpectedly
    3. Windows close automatically or without any initiating action from you
  2. You receive unexpected emails in your Inbox stating that your account has been compromised (also called phishing / spam).
  3. Someone reports that a spam / phishing email was received by them from your ID, something that you never sent.
  4. You notice uncommon or abnormal changes to your files or file extensions in your shared folders / drives.
  5. You find unknown files / folders within your data, files you may not have knowingly created, received or downloaded.
  6. You notice abnormal and / or sudden increase in the used disk space.
  7. You get prompts from unknown pop-up windows or message boxes, suddenly out of nowhere
  8. You get unexpected or 'out-of-normal-operating-procedure' emails from colleagues at work asking you to transfer / authorize payments or emails from departments such as 'Finance' requesting you to authorize payment of an unfamiliar invoice or you receive an approval email from a CxO level executive to release payment to a different account than the one on record.

What to do when you encounter such situations:

  2. Power down your machine / mobile device and remove the connectivity from the network, unless the standard operating procedures (followed in your Company) state otherwise.
  3. Report the incident to all or the appropriate persons-in-charge as mentioned and follow instructions: (note that this is not an exhaustive list).
    1. Your Supervisor(s) / Department Heads
    2. Designated Security Officer
    3. IT Support Department
  4. Change all your work related passwords immediately, logging into your account from a different machine that does not show such behavior. Beware that taking evasive action such as changing passwords from a potentially infected machine might risk exposing the new credentials as well because the hacker(s) may have 'keyloggers' set up, that sneakingly record the keystrokes / mouse-clicks you use.
  5. Use the relevant incident reporting system / application used in your Company to report the incident.
  6. Follow established procedure that you are instructed / trained to follow in your Company, during such situations.
  7. Do not hesitate to report even if it is remotely suspicious and you could be wrong. It is better to be safe than sorry and it is alright if it turns out to be a false alarm.

Did this help answer your question?

thumbs up
thumbs down

Thanks for the feedback! 🙏🏽

Help by drift