First off, you NEED to speak to your IT people straight away. If you don’t have an IT person in house, you need to talk to an outsourced IT management company (perhaps, via email or phone?). We will have the know how on what to do next and what the best way to avoid the most damage is.
Second, you NEED to change your passwords. If they have your data for one email address, and you use the same password for every account, they now have your credentials for your entire online activity – emails, online shopping like Amazon, possibly even banking. You need to change all of your passwords to something secure.
If you have an antivirus system, scan your PC immediately. It’s like everything else, if you’ve had your keys stolen to your house, you would immediately change the locks, not sit around waiting to see what happens.
You basically need to shut everything down as much as possible, lock everything up extremely securely to keep everybody out, and try to mitigate any damages. If yu’re in a company and feel that you may have been compromised in this way, you really need to reach out and tell people. Let every other member of staff know that there’s a chance that they’ve been infected.
There seems to be a lot of shame attached to these things, people can feel very embarrassed that they’ve been caught out, but the important thing to know is that you’re not alone. People get caught by malware and phishing emails all the time – that’s why antivirus is such a big industry. You’ve been attacked by somebody using a method known as Social Engineering – you can read more about this in my article here. They’ve built their dodgy emails in a way that grabs people’s attention and catches them off guard. If you’re busily working in your business, you’re probably used to seeing an email and responding to it quickly to get it out of the way and carry on working. That’s how something like this is built, it creates a sense of urgency and pushes you to quickly give up your details.