Skip to content
// OPERATOR LOG · ENTRY 801 · MISSION 08 · BRIEFING 01 OF 07 · EST 7 MIN

Recognising you have been compromised

The signals that you're under attack right now#

Most compromises don't announce themselves. By the time you notice 'something is wrong', the attacker has been inside for hours, days, or months. Recognising the early signals is the difference between a minor cleanup and a full identity-theft event.

This lesson is the diagnostic. The next lessons in this module are the response.

Signals on your email account#

  • Unexpected password-reset emails for services you didn't ask to reset. Each one means an attacker tried to take over that account.
  • Login notifications from unfamiliar locations or devices. Most providers send these by default; don't dismiss them as noise.
  • Sent items you didn't send. Even one. Attackers often delete them, so spot-checking 'Sent' for things you don't remember is a useful audit.
  • Forwarding or filtering rules you didn't create. A common attacker move is to auto-forward incoming mail to themselves and then delete it before you see it.
  • Recovery email or phone number you don't recognise. Always check the security settings page once a quarter.

Signals on your phone#

  • Sudden 'No service' for more than a few minutes while other devices on the same carrier work fine. Treat as a SIM-swap until proven otherwise.
  • Unfamiliar profile or device-management certificates installed (iOS: Settings → General → VPN & Device Management).
  • Apps you don't remember installing.
  • Battery drain and warmth at idle. Sometimes caused by spyware running in the background.
  • Strange SMS messages received but mysteriously read.

Signals on your computer#

  • New browser extensions you didn't install.
  • Unexpected pop-ups asking you to 'verify' something after you arrive at a routine site.
  • CPU at 100% when you're not doing anything heavy. Could be a cryptominer.
  • A 'support' window that appears out of nowhere with a phone number to call. This is always a scam. Real OS-level support never works that way.

Signals on your bank or brokerage#

  • Logins you don't remember in the activity log.
  • Transactions you didn't make, especially small 'test' charges of $1-$5 followed by larger ones.
  • Mailing-address change confirmations you didn't request.
  • Statements that don't arrive when they normally would (the attacker may have changed the address to suppress notifications).

A signal worth special attention: 'cleanup' messages#

A particularly chilling pattern: you receive a message apparently from yourself — your own email or social account — apologizing for sending malware or claiming to be hacked. Attackers send this from your account after compromising it, to discourage your contacts from believing real follow-up warnings from you. If you see one of these to or from yourself, treat it as confirmation that your account is compromised.

The integrative check#

Once a quarter, spend 10 minutes:

  1. Open the security/activity page on your email, bank, primary social account, and password manager.
  2. Review login devices. Sign out anything you don't recognise.
  3. Check for unfamiliar recovery contacts or forwarding rules.
  4. Spot-check your Sent folder.

A quarterly review is your tripwire. Anything caught early is much cheaper to clean up.