HELP! I've Been Hacked

Stay calm. Don't panic.

Follow these steps immediately to minimize damage and begin recovery.

Am I Actually Hacked? (Quick Check)

Not sure if you're experiencing an attack or just a technical glitch? Look for these warning signs:

Clear Signs You've Been Hacked:

  • You see a ransom message demanding payment to unlock files
  • Files have strange extensions (.encrypted, .locked, etc.)
  • You're locked out of email or admin accounts
  • Unexpected emails sent from your account
  • Bank reports unauthorized transactions
  • Website shows defacement or malicious content

Likely Just a Technical Issue:

  • Computer is running slowly (could be updates)
  • Can't access one file (might be corrupted)
  • Pop-up ads (annoying but usually not a breach)
  • Forgot your password (reset it normally)

When in doubt, treat it seriously.

If you see anything on the left list, follow the steps below immediately.

Part 1: Do This Right Now

1. STOP

Do NOT immediately unplug the computer. If it's ransomware, cybersecurity experts may need to analyze the infected system. Take a photo of any ransom message on screen.

2. DISCONNECT

Immediately disconnect the infected computer(s) from the internet. Unplug the network cable or turn off Wi-Fi. This prevents the attack from spreading to other devices on your network.

3. CHANGE PASSWORDS

From a different, safe computer or phone, immediately change your passwords for critical accounts:

  • Email accounts (especially administrator accounts)
  • Banking and financial accounts
  • Cloud storage (Google Drive, Dropbox, etc.)
  • Donor management systems

4. CALL FOR HELP

Do NOT try to be a hero. Call your IT provider or a professional cybersecurity consultant immediately. If you don't have one, use the resources below.

5. DOCUMENT EVERYTHING

Critical for insurance and law enforcement: Document the incident thoroughly before making any changes.

Documentation Checklist:

  • Take screenshots of any ransom messages, error screens, or suspicious activity
  • Write down the timeline: When did you first notice? What happened? What time?
  • List affected systems: Which computers, accounts, or files are impacted?
  • Save suspicious emails: Forward phishing emails to a safe account (don't delete)
  • Note any unusual activity in the days before (strange emails, calls, login attempts)
  • Record file names/locations if files are encrypted or missing

💡 Tip: Use your phone to take photos of computer screens if you can't screenshot.

Part 2: Who to Report To (Emergency Contacts)

CISA (Cybersecurity & Infrastructure Security Agency)

CISA is the federal government's cybersecurity agency. They provide free assistance for organizations under cyberattack.

Report to CISA Call: 1-888-282-0870

FBI Internet Crime Complaint Center (IC3)

Report cybercrimes (including ransomware and fraud) to law enforcement through the FBI's IC3.

File IC3 Report

Your Leadership & Board

Immediately notify your senior leadership, board chair, and any legal counsel. Transparency and quick communication are critical for managing the crisis.

Find Expert Help

If you need immediate IT support, consult our directory of vetted cybersecurity consultants who specialize in churches and nonprofits.

Find a Consultant

Data Breach Notification (IMPORTANT)

If personal information (names, emails, Social Security numbers, financial data) may have been compromised, you may have legal obligations to notify affected individuals.

When Notification is Required:

  • Member/donor data exposed: Names, addresses, emails, phone numbers, giving history
  • Financial information: Credit card numbers, bank account details, payment information
  • Sensitive personal data: Social Security numbers, medical records, background checks
  • Login credentials: Usernames and passwords for member accounts

State Notification Laws:

All 50 states have data breach notification laws. Most require notification within 30-90 days of discovery. You typically must notify:

  • • Affected individuals (by mail, email, or public notice)
  • • Your state's Attorney General (if breach affects residents)
  • • Major credit bureaus (if breach affects 1,000+ people)

💡 Action Item: Consult with a lawyer immediately if you believe personal data was exposed. They can help you comply with notification requirements and draft appropriate communications. Failing to notify can result in significant fines and legal liability.

What to Include in Notifications:

  • • What happened and when it was discovered
  • • What type of information was involved
  • • Steps you're taking to investigate and secure systems
  • • What affected individuals should do (change passwords, monitor accounts, etc.)
  • • Contact information for questions
  • • Free credit monitoring services (if applicable)
Part 3: After the Crisis: Make a Plan

Once the immediate crisis is over and your systems are secure again, it's time to get proactive. The best defense is preparation. We can help you build a plan to prevent this from happening again.

Build Your Defense

Follow our 5-step cybersecurity plan to protect your organization from future attacks. Start with training your team and implementing basic security controls.

View the 5-Step Plan →

⚠️ Important: About Ransomware Payments

Law enforcement strongly discourages paying ransoms. There is no guarantee that attackers will provide the decryption key, and payment funds further criminal activity. Always consult with law enforcement and cybersecurity professionals before making any payment decisions.