top of page

Retail Sector – what do you do when you find out you’ve been hacked?

Picture the scene.

You get into work on Monday morning, before the rest of the staff get in, as usual.

Kettle on, computer on.

As you sift through your invoice database you notice that a number of customers haven’t paid the invoices that you’d set up a few weeks ago – and they normally always pay on time. Something doesn’t quite look right and you’re sure that you set up the invoices and sent them out. A quick call to a customer confirms that they’d received the invoice and paid the bills - but a quick check on bank account details reveals they have paid the money – several thousand pounds to another bank account.

You have just become the latest victim in a business e-mail compromise. A cybercriminal has gained access to your e-mail system – probably through a successful phishing attack – and they have sent a load of fraudulent invoices to your customers who have unwittingly paid the criminal rather than yourself.

Pause. Take a breath. What do you do now?

After you quickly contact the other customers with outstanding invoices, you are able to assess the scale of the damage and understand what the financial loss looks like.

You vaguely remember that you’ve got the mobile number for that firm you pay a couple of hundred pounds a year to run your network and upgrade your website. You get through to Steve who tells you to hang on while he looks at your network; then the chat stops, and he goes quiet. Eventually he says – ‘I think you may have been hacked – we better refer to your incident response plan.

To which you reply ‘What’s that? I thought you did all of our IT?’

Important sidebar All the police forces across the Eastern region have dedicated specialist cybercrime teams who are highly trained and experienced in investigating cybercrime and at putting the victim’s needs at the forefront of the investigation. It is really important if you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress), that you call your local police at any time on 101 or report the attack to Action Fraud on 0300 123 2040 immediately. Millions of cases of fraud and computer misuse are reported to the police every year. But it is important to remember that many of those crimes could have been prevented by making a few minor changes in our online behaviour.

What is incident response?

So back to you and Steve.

For many companies today, the first time they realise they need an Incident Response Plan coincides with the time that they realise they don’t actually have one.

Incident response is simply a document containing the details you need if you are worried that you have been victim of a cyber attack and some key information to help you move through the various stages of containment and then recovery. Having a good response plan means that you are more likely to come through the experience more quickly and efficiently and with less of your systems exposed to the hack. And the responsibility for establishing and maintaining a plan is down to the business owner and not the managed service provider you use for your IT.

In this case, it looks likely that you have been breached, though you may never find out exactly how – what is important is that right now the criminals still have access to your e-mail system, and they may have access to much more. The wrong decisions now could have a devastating effect on your business beyond the initial frauds that you have already discovered, and you could face additional, financial, and reputational loss if you don’t make the right decisions next.

As can be seen in the below diagram you are currently in the triage stage of the breach, trying to figure out what the scale of the breach is and the impact now and in the future.

To save you the time of having to start one from scratch – go to our tools section and download an incident plan for free. All you have to do is read it and fill in the key bits of information and you have a document that you can rely on if the worst actually happens.

Practice Practice Practice

Once you’ve got an incident response plan prepared the next stage to establish your readiness is to try it out in a safe environment. The National Cyber Security Centre’s Exercise in a Box is an excellent starting point. This exercise will help you to check out how well you and your business can respond to a cyber-attack.


Increasingly cyber experts are accepting that blocking all cyber-attacks is not an achievable outcome and that it makes sense to be prepared for when the breach occurs. Being well prepared for a breach is a key step in making yourself resilient in the online world. So, download our template and try it out to see how well your company does. And if you need more guidance or support, contact the centre and we see how we can help.

Further guidance & support

You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiry system which can be found at

We also provide free guidance on our website at and we would always encourage you to sign up for our free core membership. .

Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.

Our site also contains numerous guidance and tools that can be accessed free for charge. The National Cyber Security Centre (NCSC) has also created the Small Business Guide to Response and Recovery. It provides small to medium-sized organisations with guidance about how to prepare their response and plan their recovery to a cyber incident. It can be found here

Finally, you may have access to some sort of IT support within your business and we recommend that you speak to them now to discuss how they can implement cyber resilience measures on your behalf. And find out if a response plan is currently held for your business and whether it is still in date!


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page