Security Breach Etiquette – What To Do If A Compromised Account Is Sending Phishing Emails

two glasses, in front of a silver table setting on a twine woven place mat set for "Security Breach"

May 25, 2022 by Taylor Krieg

Data breaches and thefts have become the new norm in today’s digital world. So much so, in fact, that there is a proper data breach etiquette, and it’s expected. Organizations of all sizes, predominantly small businesses, are concerned about the real possibility of a security breach. Whether you serve 100 or 1 million customers, how you manage a security breach can have a long-term influence on your company’s reputation and the level of faith customers have in your company moving forward.

Business email hacks are growing in sophistication and scale, and attempts have ramped up during the COVID-19 pandemic, especially social engineering frauds (read more about social engineering here). This is often known as “business email compromise,” or BEC. As businesses rushed to mobilize their workforce from home, it proved to be a completely foreign experience—new procedures, improvised security measures, and decentralized monitoring have made all types of organizations more vulnerable to cyber-criminals.

So, what should you do if a company account is compromised and has sent/is sending phishing emails? Notify management? Employees? Clients? Law enforcement? While the proper etiquette can vary case by case, there are some general guidelines and tips that can help you navigate this kind of situation.

How Do BEC Attacks Happen?

Attacks on business emails are notoriously tough to prevent. Instead of using malware, the culprits use social engineering and impersonation to persuade individuals to act on the attacker’s behalf. These attack tactics are frequently missed by traditional threat detection technologies that examine email headers, links, and metadata – making them all the more dangerous by targeting human error and trusting instincts.

In 2020, the FBI Internet Crime Complaint Center (IC3) received over 240,000 complaints related to phishing attacks and BEC – resulting in $1.86 billion in losses. Since BEC attacks come in a variety of shapes and sizes and don’t require the use of specialized tools or equipment, the level of sophistication varies depending on the attacker’s purpose and ability. So, what should you do if an attacker does make their way into your email system?

What Can You Do?

 If the data breach is of a high danger to the people impacted, they should all be informed immediately. Unless sufficient technological and organizational safeguards – or other protection measures – have been put in place to ensure that the risk is no longer likely to occur, notification should happen has soon as possible. You can look here for more information about security breach notification laws by state here.

Assuming there is not a high degree of danger and workers can help in alerting third parties, consider giving notice to pertinent personnel of the threat and how to maintain a strategic distance from it. Such a communication may incorporate steps to caution other external people of the cyber threat. This can include contact information and other important data in case a company’s workers or clients have fallen victim to the phishing attack.

But there’s more to consider when weighing the pros and cons of warning outside recipients a phishing email from a compromised account – and they’re not all about legality. Here are some pros and cons to consider before sending out a breach notification:


  • Reduces the vast number of emails and phone calls asking if the compromised email is legitimate or not
  • Shows concern for your business partners
  • Demonstrates care and concern for clients


  • Accepting responsibility for something out of your control
  • Their filter may have worked better than yours and they never got the phishing email
  • Raises concerns about your security and vulnerability, reputation damage

In a general sense, and when there is not a high-level of danger involved, it is the recipient’s responsibility – not the sender’s – to authenticate emails. This is a crucial reason why security awareness training (SAT) is a MUST. If you’re interested in learning more about the benefits of SAT, what it can do for you, and how to implement training, click here.

That being said, you should get the information together and expect confirmation calls regarding the legitimacy of the emails. Have pre-made responses ready that say something along the lines of, “The email you received (is/it not) legitimate, and we have addressed it by (generic solution statement). We have confirmed (no deeper compromise, no network or data penetration, etc), and will continue to monitor outbound email for the next several days – recommend your IT team does as well.”

Nevertheless, whether there is a high degree of danger or not, it is important that you report any alleged cybercriminal activity to the IC3 right away – not only to notify authorities, but also to assist in the fight against cybercrime as a whole.

If you’d like assistance with this, or have any additional questions or concerns, please contact us and call 502-240-0404 or send us an email at

Press enter to search