Ten Steps To Take When Your Email Account is Hacked
It can happen to anyone! Sometimes all it takes is opening an infected email attachment or entering your email username and password into a website portal that turns out to be fake. Unfortunately, with the way digital technology works, if you're connected to the Internet, you can be hacked. While running up-to-date anti-virus and anti-malware protection helps mitigate your risks, nothing can completely protect you.
Here are ten steps you should take when your email account is hacked.
1. Take a breath and don’t panic!
Hackers rely on people panicking in the hopes they will make rash decisions. Fake pop-up windows and infected email messages are often written to concern, anger or frighten the reader. When you receive such a popup or a suspect email, STOP and take a moment to assess the situation. You may find that you are not actually hacked. Instead, a hacker could be presenting you with a fake pop-up window urging you to call a phone number. Or you could have received an email claiming that you have been hacked when all they did was change the displayed sender name on the email to make it look like YOU had sent out the fake email.
However, if you clicked on a suspect hyperlink, entered your email login credentials into a fake website, or opened an email attachment that turned out to be being fake, you may have just allowed a hacker into your mailbox.
If you are unsure how to complete the steps below, please call your I.T. person immediately. Otherwise, take a breath and continue with the steps below.
2. Change your email password right away.
(a) If you are using cloud email like Google Workspace or Microsoft 365
Try opening your cloud email in a web browser. If you can still log into your cloud mailbox, find your account settings and change your mailbox password. If you cannot log into your email account because the hacker has already changed your email password, try to use the “forgot password” method to change your password again. There is often a forgot password link on the login screen of your cloud email.
(b) If you are using an email program like Outlook or Thunderbird
If you are using a legacy email service like POP3 or IMAP with a program like Outlook or Thunderbird, you may need to contact the company that provides you with your email service. Ask them how you can change your email password or if they can change for password for you. Once changed, your email program will prompt you to enter the new password. Be sure to tick the check box for remembering your new email password.
(c) Don’t know what email you use or cannot change your email password?
If you are unsure what type of email you use or you’re unable to change your email password, please contact an I.T. professional right away. They can quickly determine who hosts your mailbox and provide you with advice on how to proceed. Your I.T. person may also have administrative access to your mailbox to change your email password for you.
NOTE: Use Complex Passwords
Make sure to use a more complex email password that includes letters, numbers and special characters like an exclamation point, pound sign or dollar sign.
(d) Document Your New Password
After changing your email password, STOP HERE for a moment and record your new password somewhere safe. It is easy to forget new passwords, especially when you are rushed.
3. Force logout / sign-off option
It is not always enough to simply change your email password. The hacker could still be in your mailbox and still able to perform email related tasks because they have not yet been prompted to enter your new email password.
(a) If using Microsoft 365 for email
If you are using Microsoft 365 for your email, ask your email Administrator to perform a forced sign-out using their special Microsoft 365 administrative dashboard.
(b) If using Google Workspace or Gmail for email
If you are using Google hosted cloud mailboxes and are still logged into your mailbox, go to https://myaccount.google.com/device-activity?pli=1, click the vertical three buttons next to each device and select “Sign out”.
If you cannot log into the hacked Google mailbox or you do not see the three vertical dots but you can still log into the Google Admin, try suspending the user of the hacked mailbox after changing the password. Wait for a time and then remove the suspension from the user account. This might kick out the hacker.
4. Check for bogus rules or filters.
Hackers will sometimes create special commands within your mailbox, called “rules” in Microsoft Office 365 or “filters” in Google Mail. These rules/filters work in the background to move emails between folders, respond automatically to incoming emails, or perform some other automatic function.
Check your rules or filters for any automated rules or filters that you do not recognize and delete them.
For example, a hacker may create a rule or filter to automatically send any new incoming email directly to your trash folder. They do this so that you are less likely to notice all the non-deliverable email alerts you will receive and to hide replies from your contacts on why you are sending them a suspicious email.
5. Verify that your contact list and calendar are intact.
Some hackers have been known to also delete your contact list and/or your calendar after a hack. If you find that your contacts, calendar, or even your saved emails are gone, contact your I.T. person to discuss options. Microsoft 365 and Google may allow you to restore deleted data up to a certain date.
NOTE: Backup Your Mailbox, Contacts and Calendar
Ask your I.T. person what options they have for backing up your mailbox, contacts and calendar. Some mailboxes can be backed up through fee-based 3rd party subscription services. Some mailboxes can be manually backed up by your I.T. person. Consider setting up a recurring schedule to backup your mailbox, contacts and calendar.
6. Enable Two Factor Authentication (TFA) on your mailbox.
If you are using cloud email such as Google Workspace or Microsoft 365, consider enabling Two Factor Authentication (TFA) on your mailbox. Also known as Two-Step Verification or Multi-Factor Authentication (MFA), this feature adds an extra layer of security by requiring you to enter a one-time use numeric key that you receive through your cell phone. TFA and MFA are in addition to entering your normal email address and email password.
NOTE: Application Passwords
If you enable MFA or TFA you may be presented with a special “application password” that is to be used by email programs such as Microsoft Outlook or Mozilla Thunderbird. Be sure to write down this unique “application password” because you may need to use this application password in your email programs instead of your normal, real email password.
7. Scan your computer for viruses and malware.
Email hacking can occur without there being a virus on your computer. However, it is a good idea to scan your computer just to be safe. Use your preferred antivirus and anti-malware program and be sure to run a full scan. You may find infections within your computer that are unrelated to the email hack.
Read our article: How to run an AVAST Antivirus Scan
Read our article: How to run a Malwarebytes Scan (Retail Edition)
8. Notify your contacts
You may wish to email your contacts to let them know that you were hacked and to warn them not to open any bad email message that may have been sent from your mailbox by the hacker. This is considered the polite and the professional thing to do however, you need to be careful with how many contacts you email out to at once.
Some mail servers monitor how many emails you send because the primary symptom of a hacked mailbox is a large amount of outgoing email. If your mailbox was hacked, the mail server you use may be setting off an alarm right now regarding too many outgoing emails being sent. If you now decide to send an email to all of your contacts, even a legitimate email message, your mail server may assume that you are still hacked and block you.
You may be better to call your important contacts. If you do decide to email your contacts, consider sending your email from a different email address and/or dividing your contact list into small groups. Send to the first group of contacts and then wait 15-60 minutes between each subsequent sending. This may lessen the appearance to your mail server that you are still hacked.
9. Contact your I.T. person
Contact your I.T. person and inform them of what happened and the steps you have taken to correct the situation. Your I.T. person will appreciate knowing what happened and may be able to provide additional advice beyond the steps listed here.
10. Check the next day to see if your account has been blocked
Some email providers, like Microsoft and Google monitor the amount of outgoing email you are sending. If they detect that your account is sending or has recently sent out large quantities of email they may place a block on your mailbox. However, some of these email providers can be slow to block a mailbox. Some users report that they were unable to use their email the day after their mailbox was hacked even after having resolved the hack. Contact your I.T. person for assistance if you find that your mailbox is not working the day after your email was hacked.
Lastly, do not be surprised if you continue to receive non-deliverable email notification messages for the next few days. This is normal and not necessarily a sign that you are still hacked. However, if you continue to receive non-deliverable email notifications consult with an I.T. professional to have them double-check your mailbox.