A compromised email at a brokerage: the real case and the reflexes to adopt

A broker in Walloon Brabant had their email hacked and hundreds of fraudulent messages sent to clients. Here are the three reflexes to adopt and the mistakes to avoid.
One morning, a brokerage in Walloon Brabant discovers that its email account has been hacked. Hundreds of fraudulent messages have been sent to all its contacts: clients, insurers, partners. Every recipient received an email from the office's official address. This real case, shared by Portima, illustrates a threat that every broker should take seriously.
Brokerages are prime targets
In Belgium, an average of 1,090 cyberattacks per week are recorded. According to the Hiscox 2024 report, 67% of surveyed companies (including 250 Belgian ones) experienced at least one attack, and 61% fear reputational damage above all.
Brokerages handle sensitive data on a daily basis: national register numbers, bank details, health information, contracts, certificates. Fraudulent access to an employee's email gives access to all this information. And clients who receive a suspicious email from your address do not distinguish between a hack and negligence.
Three reflexes if your email is compromised
Portima recommends a nine-step protocol. Here are the three priority reflexes.
1. Do not turn off the machine. This is most people's first reflex, and it is the worst mistake. The machine contains evidence of the intrusion: connection logs, malware traces, action history. Turn it off and you lose everything. The right action: immediately disconnect the machine from the network (Ethernet cable, Wi-Fi, everything), but leave it powered on.
2. Alert immediately. Your IT manager, your management, Portima if you use Brio, and above all your colleagues. One click by a staff member on a link in a fraudulent email and the entire chain falls. The speed of internal alerting determines the extent of the damage.
3. Change all passwords. Every password that was accessible from the compromised machine: email, CRM, insurer extranets, Brio access, everything. If you use the same password across multiple services (which you should stop doing), change them all.
The first 48 hours are decisive
Everything plays out in the first 48 hours after a cyber incident. The speed of response determines whether the incident remains an inconvenience or becomes a crisis. Documenting the facts, notifying affected clients, filing a complaint if necessary, contacting your cyber insurance: all of this must happen quickly and in a structured manner.
The Centre for Cybersecurity Belgium (CCB) and Safeonweb offer resources and procedures adapted to Belgian SMEs.
Prepare a procedure before it happens
The real advice is not knowing what to do after a hack. It is preparing a procedure beforehand. A simple document, accessible to every employee, describing the steps to follow in case of an incident. Who to contact, in what order, what actions to take, what actions to avoid.
Offices that have this document react in hours. Others react in days. And in a context where your clients entrust you with their most sensitive data, the difference between the two is the difference between a controlled incident and lasting loss of trust.
Digital security is an integral part of managing a modern brokerage. Solutions like the NextMove ecosystem integrate security best practices from the design stage: secure hosting, enhanced authentication, access separation. It is a foundation on which to build a reliable digital practice.


