How to Check If Your Email Has Been Compromised

Worried your email account may have been hacked? Here are the signs to look for and the steps to take immediately.

Published 2024-08-20 by TechNet New England

Email compromise is one of the most common and damaging cyberattacks. Attackers who gain access to your email can read sensitive information, send messages as you, access other accounts through password resets, and move laterally into your organization. Here is how to check for compromise and what to do about it. ## Signs Your Email May Be Compromised **Unexpected password reset emails** for accounts you did not request. **Sent messages you did not write.** Check your Sent folder for unfamiliar messages. **Missing emails.** Attackers sometimes delete emails to cover their tracks. **Inbox rules you did not create.** Rules that forward, delete, or move messages automatically. **MFA prompts you did not trigger.** If you receive authentication requests when you are not signing in, someone else is trying to use your credentials. **Colleagues or contacts say they received strange emails from you.** **Sign-in alerts from unfamiliar locations or devices.** ## Step 1: Check Sign-In Activity ### Microsoft 365 1. Go to [mysignins.microsoft.com](https://mysignins.microsoft.com). 2. Review the list of recent sign-ins. 3. Look for sign-ins from unfamiliar locations, IP addresses, or devices. 4. Look for sign-ins at unusual times (like 3 AM when you were asleep). ### Google 1. Go to [myaccount.google.com/security](https://myaccount.google.com/security). 2. Under "Your devices," review the list of devices where your account is active. 3. Under "Recent security activity," check for unfamiliar events. ## Step 2: Check Email Rules and Forwarding Attackers commonly set up email rules that forward your messages to an external address so they continue receiving your email even after you change your password. ### Microsoft 365 (Outlook) 1. Go to [outlook.office.com](https://outlook.office.com). 2. Click the gear icon > **View all Outlook settings**. 3. Click **Mail > Rules**. Delete any rules you did not create. 4. Click **Mail > Forwarding**. Make sure forwarding is not enabled to an unknown address. ### Gmail 1. Go to [mail.google.com](https://mail.google.com). 2. Click the gear icon > **See all settings**. 3. Click **Filters and Blocked Addresses**. Review all filters. Delete any you did not create. 4. Click **Forwarding and POP/IMAP**. Make sure forwarding is disabled or only goes to addresses you control. ## Step 3: Change Your Password Immediately Change your email password to something new and strong. Do not reuse a password from any other account. A strong password is at least 14 characters and includes a mix of uppercase, lowercase, numbers, and symbols. Better yet, use a passphrase: a string of random words that is long but easy to remember. ## Step 4: Enable or Verify MFA If MFA is not already enabled, enable it now. If it was enabled and the attacker still got in, check your MFA settings: 1. Go to your account's security settings. 2. Remove any authentication methods you do not recognize (unfamiliar phone numbers, unknown authenticator apps). 3. Re-register your own phone or authenticator app. ## Step 5: Check Other Accounts If your email was compromised, any account that uses that email for password resets is at risk. Check and secure: Banking and financial accounts. Cloud storage (Dropbox, Google Drive, OneDrive). Social media. Any other accounts tied to that email address. ## Step 6: Notify Your IT Provider If this is a work email, notify your IT help desk immediately. They can: Check server logs for the full scope of the compromise. Disable the account if needed. Reset sessions and tokens. Scan for data exfiltration. Notify affected parties if sensitive data was exposed. ## Step 7: Check HaveIBeenPwned Go to [haveibeenpwned.com](https://haveibeenpwned.com) and enter your email address. This free service shows whether your email and password have appeared in known data breaches. If your credentials were exposed in a breach, change the password for every account where you used that same password. ## Prevention Enable MFA on every account that supports it. Use a password manager so every account has a unique password. Do not click links in unexpected emails asking you to sign in. Report suspicious emails to your IT team. Complete security awareness training when offered.