Think You’ve Been Hacked? Here’s What to Do Right Now
The first hour matters most. The wrong moves make a breach significantly worse — and the right ones limit the damage. This is what DM1 tells every Perth business owner the moment something looks wrong.
The First Hour: What to Do Immediately
Speed matters, but panic makes things worse. Work through these steps in order. If you have a managed IT provider, call them first — they can do most of this faster than you can.
1
Do not turn the computer off
Your instinct will be to shut everything down. Resist it. Turning a device off can destroy the evidence your IT provider needs to understand what happened and how far it spread. Leave devices on and connected unless DM1 or your IT provider specifically tells you otherwise.
2
Disconnect from the internet
If a device is actively being accessed by someone outside your business, disconnecting it from the network stops them in their tracks. Unplug the network cable or turn off the Wi-Fi on the affected device. Do not shut it down — just cut the connection.
3
Change your passwords from a different device
Use a phone or a separate computer that was not involved in the incident. Change the password for your email account first, then your Microsoft 365 account, then anything else that matters. Enable a second login step on every account if it is not already on.
4
Tell your staff
If the breach may have affected shared systems, tell your team immediately. Staff who do not know something is wrong may inadvertently make it worse — clicking a link in a suspicious email, opening an attachment, or entering credentials into a fake page.
5
Write down what you know
Before you do anything else, note the time you noticed the problem, what you saw, what was open on the screen, and who had access to the affected device or account. This information is critical for your IT provider and, if needed, the police or your insurer.
6
Call DM1 — or your IT provider
If you are a DM1 client, call (08) 6202 6012 immediately. If you are not yet a DM1 client and your current IT provider is not responding, DM1 can assist with incident response for Perth businesses. Do not attempt to investigate or clean up alone.
Warning Signs That Something May Be Wrong
Not every breach announces itself. These are the signs Perth businesses most commonly notice first — many of which are dismissed as technical glitches until it is too late.
Emails you did not send
Staff or clients receive emails from your address that you did not write. This is one of the most common early signs of a compromised email account — and one of the most damaging, because it can be used to send fake invoices to your clients.
Unexpected password reset emails
You receive a password reset notification for an account you did not request. Someone else is attempting to take control of that account — or already has. Change the password immediately from a separate device and enable a second login step.
Logins from unexpected locations
Microsoft 365 logs every login with a location. If you or a staff member’s account has been accessed from a country your business has no connection to, that account is almost certainly compromised.
Ransomware message on screen
A message appears stating that your files have been encrypted and demanding payment. Do not pay. Disconnect the affected device from the network immediately and call DM1. Payment does not guarantee file recovery and funds criminal activity.
Files you cannot open
Files that opened normally yesterday now show errors or appear to have been renamed with a strange extension. This can be an early sign of ransomware encryption spreading across your network — act immediately.
Unusual account activity or new accounts
New user accounts appear in your Microsoft 365 admin panel that nobody created. Existing accounts have new rules set up in their inbox, or emails are being silently forwarded to an external address. Both indicate an attacker has had access to your systems.
How Most Perth Business Breaches Actually Happen
Understanding how it happened helps you prevent it from happening again. The overwhelming majority of business breaches come through one of these four entry points.
A staff member clicked a convincing fake email
The most common entry point. An email arrives that appears to be from Microsoft, Australia Post, the ATO, or a known supplier. A staff member clicks the link and enters their login details on a fake page. The attacker now has their username and password. Without a second login step, they are in.
Technical name: phishing
A password was guessed or stolen in a separate breach
Many people reuse the same password across multiple services. When one service is breached, attackers try those credentials against business email and Microsoft 365 accounts automatically. If the password matches and there is no second login step, the account is compromised without any action from the victim.
Technical name: credential stuffing
An out-of-date device or software was exploited
Software that has not been updated contains known vulnerabilities that attackers can exploit without any action from your staff. This includes Windows, browsers, and third-party applications. A device that has not been patched in several months is a known risk — not a theoretical one.
Technical name: unpatched vulnerability exploit
A former staff member’s account was never disabled
An account belonging to a staff member who left six months ago is still active. Whether they use it maliciously or it gets compromised by someone else, it is an open door into your systems. DM1 finds active accounts belonging to former staff in the majority of new client onboarding reviews.
Technical name: orphaned account / stale credential
What Not to Do — Mistakes That Make It Worse
These are the most common mistakes DM1 sees after a breach. Each one either destroys evidence, increases the damage, or delays recovery.
Do not pay the ransom
Paying ransomware attackers does not guarantee your files will be returned. It funds further criminal activity and marks your business as one willing to pay, increasing the likelihood of repeat attacks. Contact your IT provider and your insurer before making any decision.
Do not wipe the device immediately
Wiping a compromised device destroys the evidence needed to understand how the attacker got in, what they accessed, and whether they are still present elsewhere in your network. Your IT provider needs to examine the device before it is wiped.
Do not assume it is contained to one device
Modern attacks move laterally across networks. If one device or account is compromised, others may be too. Do not assume the problem is isolated until your IT provider has reviewed the entire environment — not just the device that first showed symptoms.
What DM1 Does When You Call
DM1 handles incident response for Perth businesses as part of the managed services relationship. When something goes wrong, this is what happens.
Immediate containment
DM1 identifies the affected accounts, devices, and systems and isolates them to stop the breach from spreading. Compromised accounts are locked, active sessions are terminated, and suspicious inbox rules or forwarding addresses are removed. This happens in the first hour.
Review of what was accessed
DM1 reviews login logs, audit trails, and device activity to establish what the attacker accessed and for how long. This determines whether client data, financial records, or sensitive documents were exposed — which affects your notification obligations.
Recovery and hardening
Once the immediate threat is contained, DM1 works through the security gaps that allowed the breach to occur — enabling second login steps, removing stale accounts, applying missing patches, reviewing email rules, and updating permissions.
Plain English summary for you
At the end of the process, DM1 provides a plain English summary of what happened, what was accessed, what was fixed, and what you need to do next — including whether you have any notification obligations under the Privacy Act.
Your Legal Obligations After a Breach
If your business holds personal information about clients, staff, or any individuals, a data breach may trigger reporting obligations under the Privacy Act.
The information on this page is general in nature and is intended to help business owners understand their obligations at a high level. It is not legal advice. If you have specific concerns about your notification obligations following a breach, DM1 recommends speaking with a qualified lawyer. For general information about the Notifiable Data Breaches scheme, visit the Office of the Australian Information Commissioner at oaic.gov.au.
Notifiable Data Breaches scheme
If your business has an annual turnover of $3 million or more, or operates in certain sectors, you are likely required to notify affected individuals and the Office of the Australian Information Commissioner if a breach is likely to result in serious harm. Notification must occur as soon as practicable.
Your legal obligations may vary. Speak with a lawyer if you are unsure.
What counts as a notifiable breach
A breach is notifiable when it involves personal information, it is likely to result in serious harm to one or more individuals, and you have not been able to prevent that harm. Serious harm includes financial harm, reputational damage, and physical harm. The threshold is not whether harm has occurred — it is whether it is likely.
What We Found on Day One
These are real findings from DM1’s standard onboarding checks — discovered when new clients came on board and we reviewed how their business had been set up.
Discovered during DM1 new client onboarding
Inbox rules were silently forwarding every email to an external address — for three months
When a Perth professional services firm moved to DM1, our standard new client checks included a review of all Microsoft 365 inbox rules. We found that a rule had been created on the managing director’s account that forwarded a copy of every incoming email to an external Gmail address. The rule had been in place for approximately three months. Their previous IT provider had never reviewed inbox rules as part of their service. DM1 removed the rule, locked the compromised account, forced a password reset, and enabled multi-factor authentication across all accounts.
Discovered during DM1 new client onboarding
A fake invoice sent from the owner’s email address had already reached three clients
When a Perth retail business moved to DM1, our onboarding review found that the business owner’s email account had been compromised approximately two weeks earlier. The attacker had sent a fraudulent invoice to three of the business’s clients from the owner’s actual email address, requesting payment to a different bank account. Their previous IT provider had not identified the breach. DM1 secured the account, reviewed all sent mail, contacted the affected clients, and documented the incident for the business’s insurer.
Discovered during DM1 new client onboarding
Ransomware had encrypted files on one device — and the backup had never worked
When a Perth healthcare business moved to DM1, our onboarding review found that a workstation had been affected by ransomware approximately six weeks earlier. The business had paid the ransom and assumed the matter was resolved. Their backup had been silently failing for months, so there was no clean restore point. The affected device had been wiped without any forensic review. DM1 rebuilt the device, verified the backup system, enabled multi-factor authentication, and implemented endpoint protection across all remaining devices.
Why Perth Businesses Choose DM1
DM1 is a Perth-based managed IT provider working exclusively with small and medium businesses. We are a Microsoft CSP partner, which means we manage Microsoft 365 licences and configurations directly — and we know what a properly secured business looks like.
We explain what we find in plain English
Every finding is explained in terms of what it means for your business — not in technical language. You will always understand what the issue is, why it matters, and what DM1 is doing about it.
One point of contact for everything IT
DM1 manages your Microsoft 365 licences, your devices, your email, your security, your connectivity, and your backup — all from one place. One number. One provider. No pointing fingers between vendors.
Something Looks Wrong? Call DM1 Now
If you think your business has been hacked — or if you want to make sure it never is — call DM1 now. We respond to incidents for Perth businesses and can review your security setup before something goes wrong. (08) 6202 6012