Email accounts are a common target for cybercriminals. If cybercriminals gain access to your email account they can steal your sensitive information, commit fraud or send emails pretending to be you.
Proactively reviewing your email account’s security will help you to prevent its compromise and increase your chances of regaining control if it becomes compromised.
The below step-by-step guides will explain how to check the security of your email accounts following an incident or suspicious behaviour.
Gmail
If you are concerned that your email account has been hacked, it is important to log in to your account as soon as possible. Once logged in, you can change your password to disrupt a cybercriminal’s access and regain control over your email account.
If a cybercriminal has changed your password, skip to Step 1A to recover your email account.
1. Visit www.gmail.com and enter your email address.
2. Once logged in, select the Profile icon (top right) and then select Manage your Google Account.
3. From the list on the left side of the screen, select Security.
4. Scroll down to the section labelled Signing in to Google and select Password. Enter your current password and choose a new password.
When choosing a new password, consider creating a passphrase. A passphrase uses four or more random words as your password, which is hard for cybercriminals to guess but easy for you to remember. Read more information on creating strong passphrases.
After you have reset your password, skip to Step 2.
Step 1A: Recover your email account
Recovery of your email account is only required if a cybercriminal has changed your password. If you have completed the previous step, you can skip this one.
Note that this recovery process will require you to confirm your identity by providing either your phone number or a recovery email address.
1. Visit www.gmail.com and enter your email address.
2. Select Forgot password?
3. One option to recover your email account is to enter the last password you remember using before your password was changed by a cybercriminal. If you cannot remember your password, select Try another way. Carefully follow the recovery process and instructions.
Please note that this process will be different from person to person depending on what security measures you have set up for your email account. Some recovery methods may include:
- Providing a code from your multi-factor authentication app
- Providing a verification code sent to your alternative recovery email address
- Providing a code sent to your mobile phone via SMS
- Inputting the last password you remember
In some cases, a cybercriminal might change the recovery details of hacked accounts. They can use this as a way to regain access to the email account even after you have changed your password. Be sure to check your account recovery details are linked to either a recovery email address or recovery mobile phone.
1. From the home screen, select the Profile icon (top right) and then click on Manage your Google Account.
2. From the list on the left side of the screen, select Personal info.
3. Scroll down to the section labelled Contact info. You can now change your recovery email and recovery mobile. In doing so, it is important these are changed to email accounts or devices you can access.
4. To change your email, select Email.
5. Select Add recovery email. You will be prompted to re-enter your password.
6. Google will use your recovery email to reach you if unusual activity is detected on your email account or you are accidentally locked out. Select the pencil icon. A prompt will open where you can add or update your recovery email.
7. Select Save to go back to Email (Step 4).
8. From the email options, scroll down to Alternative emails. It is important you check no unknown or suspicious email accounts are listed, as a cybercriminal may use these to access your account. If there are email addresses you don’t recognise select Manage alternate emails.
You will be prompted to re-enter your password. Remove all alternate email accounts to ensure that an alternate account cannot be used to access your account.
9. To change your phone number, go back to Personal info and select Phone.
10. Select Phone and then the phone number you wish to change. If you have not entered a phone number you can select Add now and follow the on screen prompts.
Google will use your recovery phone number to reach you if unusual activity is detected on your email account or you are accidentally locked out. Select the pencil icon and re-enter your password.
A prompt will open where you can update your phone number.
Cybercriminals may still be logged in to your email account after you have regained access. By signing out of all sessions you will disrupt a cybercriminal’s access and regain control over your email account.
To sign out of all sessions, you will need to change your password. If you have already changed your password in Step 1, then you have already completed this step.
If you have not yet changed your password, instructions on how to do this can be found in Step 1.
Turning on multi-factor authentication is the most important defence against cybercriminals gaining access to your email account.
Multi-factor authentication makes it harder for cybercriminals to gain access to your email account by making them guess two pieces of information rather than one (such as a password and a constantly changing PIN).
For a more detailed set of instructions, see the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) Step-by-Step guide Securing Google Accounts.
Cybercriminals will sometimes set up ‘forwarding rules’ to send themselves a copy of emails coming into or leaving your email account. You should check your email account to see if cybercriminals have set up forwarding rules and delete any you don’t recognise.
1. Log in to your Google account. Select the Google apps button and select Gmail.
2. From your email account, select the Settings icon (cog) and select See all settings.
3. From the tabs at the top of the page, select the Filters and blocked addresses tab.
4. Check that no unfamiliar filters are being applied to incoming emails, or that there are not any unusual email accounts that are being blocked. Delete any of these unfamiliar filters or email accounts.
A cybercriminal may have set these up to hide emails from you, especially if customers or contacts have become suspicious and tried to reach out to you.
5. From the tabs at the top of the page, select the Forwarding and POP/IMAP tab.
POP and IMAP are protocols that allow emails to be accessed through other applications, such as Microsoft Outlook, Apple Mail and Mozilla Thunderbird. Cybercriminals sometimes use these as another method of accessing your email account, as it can allow them to bypass some security measures such as multi-factor authentication.
6. Make sure there are no forwarding rules, this will prevent cybercriminals who may be forwarding incoming emails. If you don’t use an email application and only use a web browser to access your emails, consider disabling POP and IMAP as these can be used by cybercriminals to access your emails from another application. Select Save changes when finished.
Have you ever logged into another application or website using your email account, sometimes without needing to put in your password? Many websites and applications can use this method to avoid having to create a new user account. However, the connection this creates between your email account and the website/application is a common way for hackers to gain access to your email account.
Check if there are any apps or services that have access to your account and remove any that you don’t recognise or no longer require.
1. From the home screen, select the Profile icon (top right) and then select Manage your Google Account.
2. From the list on the left side of the screen, select Security.
3. Scroll down to Third-party apps with account access and select Manage third-party access.
4. It is important to reduce the access by third-party apps to your email account. If a cybercriminal has hacked a third-party app, they may be able to use it to enter your email account.
Select Remove Access for each app listed that you didn’t configure yourself. If you’re not sure what apps might be, remove those you’re not sure about as they can be reconfigured later if required.
5. Scroll down and select Google Account sign-in prompts to ensure the toggle is turned off. This will disable the ability to sign in to third party applications using your Google account.
You can see what devices have been used to log in to your account, the time and date they logged in and an estimation of the location where your account was logged in to. As a good practice, regularly review your login activity to check if your email account has been accessed at unusual times or from unusual locations. By doing so, you will be able to pick up on anything suspicious.
1. From the home screen, select the Profile icon (top right) and then select Manage your Google Account.
2. From the list on the left side of the screen, select Security.
3. Scroll down to Your Devices and select Manage Devices.
4. Check the devices you have logged in to. If you see any suspicious activity since the last time you changed your password, change your password immediately. Alternatively can also select Don’t recognise this device and use Google’s security check-up to change your password.
If you have recently changed your password, you will have been signed out of all sessions except the one you used to change your password. You can check all the devices that have been signed out by scrolling down to Where you’ve signed out.
Here are some things to consider to help you identify suspicious activity:
- The Access Type – is this a device/browser/application you are familiar with, use or own?
- The Location (IP address) – was the login from a country you are familiar with?
- The Date/Time – does the login date and time seem out of the ordinary
Check email folders
Once you have made sure only authorised persons have access to your email account, you may want to consider checking your email folders, specifically your sent and deleted items. This will help you assess what actions a cybercriminal has taken if they accessed your account.
1. From your inbox, select Sent to view your sent emails.
Search for emails that you did not send and take note of the recipient, whether attachments were included, what the email was requesting, and when it was sent.
Compare any unusual activity times with the time the email was sent. Verify login records to confirm that a criminal contacted someone from your email account.
2. Under the Sent folder on the right, select More to make more folders visible.
3. Undertake the same steps taken for your other folders, especially Drafts and Trash folders.
Enhanced safe browsing is a tool that will warn you about risky downloads, sites and extensions. It will also warn you about potential password breaches and send additional data to Google about your activity.
Find more information on Google's website on Google Enhanced safe browsing.
1. Profile icon (top right) and then select Manage your Google Account.
2. From the list on the left of the screen, select Security.
3. Scroll down to Enhanced safe Browsing for your account and select Manage Enhanced Safe Browsing.
4. Toggle Enhanced Safe Browsing, read the information and follow the prompt to turn on.
Outlook.com, Microsoft 365, Live, Hotmail, and MSN
If you are concerned that your email account has been hacked, it is important to log in to your account as soon as possible. Once logged in, you can change your password to disrupt a cybercriminal’s access and regain control over your email account.
If a cybercriminal has changed your password, skip to Step 1A to recover your email account.
2. Enter your password and select Next.
3. Once logged in, select Profile icon (top right) and then select My Microsoft Account or My Account.
4. On the top menu bar, select Security.
5. Under Security Basics, on the Password security tile, select Change my password.
6. Enter your current password, your new password, confirm and select Save. By changing your password, all other sessions will be prompted for the new password which may take a few minutes.
After you have reset your password, skip to Step 2: Update your account recovery details.
When choosing a new password, consider creating a passphrase.
A passphrase uses four or more random words as your password, which is hard for cybercriminals to guess but easy for you to remember.
More information on creating strong passphrases is available from the ASD's ACSC.
Step 1A: Recover your email account
Recovery of your email account is only required if a cybercriminal has changed your password. If you have completed the previous step, you can skip this one.
Note that this recovery process will require you to confirm your identity by providing either your phone number or a recovery email address.
1. Visit https://account.microsoft.com and select Sign in in the top right corner of the page. Enter your email address and select Next.
2. Select Forgot password?
3. If you have access to an external Email or Mobile phone to receive the recovery code, select the appropriate method and proceed to Step 4 of 1A.
If you don’t have access to any of these select I don’t have any of these and proceed to Step 5 of 1A.
4. If you have a recovery code, enter it and select Use recovery code. Proceed to Step 2: Update your account recovery details.
5. If you do not have any recovery accounts or a recovery code, select No which will begin the application process to recover your email address.
You may be required to provide an alternative email address to which a recovery code/email will be sent to and to complete an audio or visual CAPTCHA.
Provide as much information as possible as this will help you recover your account.
It may take several days or weeks to receive an outcome as your request is reviewed.
In some cases, a cybercriminal may change the recovery details of your email account. They can use this as a way to regain access to the email account even after you have changed your password. Be sure to check your account recovery details are linked to either a recovery email address or recovery mobile phone.
1. Select your Profile in the top right corner and select My Microsoft Account.
2. Select Security in the top menu bar. You may have to re-enter your password again to verify you can make changes to sensitive information.
3. Under Security Basics, on the Advanced security options or Security contact info tile, select Get started or Update my info.
4. Review the recovery details and select Remove for any security contact info you want to remove.
Note – if only one recovery mechanism is listed, and it is the one you want to delete, you will need to add a valid recovery mechanism first.
To do this select Add Security info. This can either can be a mobile number or an alternative email address.
Cybercriminals may be logged in to your email account after you have signed in.
By signing out of all sessions, you will disrupt a cybercriminal’s access and regain control over your email account.
1. Select your Profile icon in the top right corner and select My Microsoft Account.
2. Select Security in the top menu bar. You may have to re-enter your password again to verify you can make changes to sensitive information.
3. Select Get started on the Advanced security options tile.
4. Scroll down to Sign me out and select the Sign me out button. You will be prompted again to confirm whether or not you want to sign out. Select Sign me out.
Note that all account sessions on all browsers and devices will be signed out within 24 hours. Once completely signed out of all sessions and devices, sign back in again using your device to continue securing your Microsoft account.
Turning on multi-factor authentication is the most important defence against cybercriminals gaining access to your email account.
Multi-factor authentication makes it harder for cybercriminals to gain access to your email account by making them guess two pieces of information rather than one (such as a password and a constantly changing PIN).
For a more detailed set of instructions, see the ASD's ACSC’s Step-by-Step guide Protect Yourself: Multi-Factor Authentication.
Cybercriminals will sometimes set up ‘forwarding rules’ to send themselves a copy of emails coming into or leaving your email account. You should check your email account to see if cybercriminals have set up forwarding rules and delete any you don’t recognise.
1. Select Outlook in the navigation bar on the left.
2. Select Settings (cog icon) in the top right corner.
3. Scroll down and select View all Outlook settings.
4. In the Mail side bar menu, select Rules in the sub-menu and view all the rules. Check for any rules you don’t recognise and remove them. To remove any rules, select the delete icon (trash icon) and select OK.
5. Next, select Sync Email in the sub-menu and scroll down to view POP and IMAP.
POP and IMAP are protocols that allow emails to be accessed through other applications, such as Microsoft Outlook, Apple Mail and Mozilla Thunderbird. Cybercriminals sometimes use these as another method of accessing your email account, as it can allow them to bypass some security measures such as multi-factor authentication.
Check to see if any of your emails are being accessed by any suspicious external email clients or applications via POP. If you don’t use an email application and only use an internet browser to access your emails, consider disabling POP as it can be used by cybercriminals to access your emails from another application.
IMAP should refer to a server relating to Outlook or Microsoft Office.
6. Next, select Forwarding in the sub-menu. From here you can check to see if any of your emails are being forwarded to another account.
Check that Enable Forwarding is unticked, or if forwarding is turned on, it is to an account you expected.
If forwarding is turned on to an account you don’t recognise then remove the address and turn it off by unticking the box.
7. Next, use “Manage how you sign in to Microsoft” to see if there are any unusual account aliases still associated to your account. First go to My Microsoft Account.
8. Select Your info.
9. Then go to Sign-in preferences.
10. Here, you will be able to manually remove any suspicious email addresses or phone numbers by selecting the Remove button.
Have you ever linked your Microsoft account to a third party service?
Many websites and applications can use this method to avoid having to create a new user account. However, the connection this creates between your email account and the website/application is a common way for hackers to gain access to your email account.
Check if there are any apps or services that have access to your account and remove any that you don’t recognise or no longer require.
1. Select your Profile icon (top right), select My Microsoft Account or My Account..
2. Select Privacy in the top menu bar.
3. Scroll down to More privacy settings and under Apps and Services, select View app access details.
4. This lists all the apps that can access data related to your account.
Select Edit, then select Remove these permissions for any that you didn’t configure yourself.
Your login activity is a history of when and where someone has logged into your email account. Regularly review your login activity to check if your email account has been accessed at unusual times or from unusual locations.
1. Select your Profile icon (top right), select My Microsoft Account or My Account.
2. Select Security in the top menu bar. You may have to re-enter your password again to verify you can make changes to sensitive information.
3. Under Security Basics, on the Sign-in activity tile, click View my activity.
4. Here you can check the time and location of the logins into your account to verify that your email account has not been accessed at unusual times or from unusual locations.
If you see any suspicious activity since your last password change, select the drop down arrow for that session and select Secure your Account to change your password. Consider using a unique strong passphrase as your password.
Note that if you do go ahead and Secure your Account, you will need to verify your identity and change your password.
This will also automatically log you out of all other existing sessions.
Here are some things to consider to help you identify suspicious activity:
- The Access Type – is this a device/browser/ application you are familiar with, use or own?
- The Location (IP address) – was the login from a country you are familiar with?
- The Date/Time – does the login date and time seem out of the ordinary?
Once you have made sure cybercriminals don’t have access to your email account, you may want to consider checking your email folders, specifically your Sent, Draft and Bin folders. This will help you assess what actions a cybercriminal may have taken when they accessed your email account.
If someone has hacked into your email account, they may have tried to reset passwords for other online accounts that are linked to that email address. These could be for banking and finance, social media, or other accounts. Check for any password reset emails.
1. To check sent items, select Sent items in the side menu.
Search for emails that you did not send and take note of the recipient, whether attachments were included, what the email was requesting, and when it was sent.
Compare any unusual activity times with the time the email was sent. Check login activity every time you become aware that a criminal contacted someone from your email account.
2. To check deleted items, select Deleted items in the side menu. You can recover deleted items by selecting Recover items deleted from this folder.
Undertake the same steps taken for your other folders, especially Drafts and Spam.
Security Tips
Have you ever saved your passwords using your web browser? If you were signed into a Chrome web browser and saved your username and password then those credentials can be accessed from your Google account.
If a cybercriminal has accessed your account, they may have also accessed your saved passwords. We recommend changing any saved account passwords that are stored on your Google account.
If you used the same password for your email account and any other accounts, these may be no longer secure. You should complete the following steps to help keep your other accounts secure:
- Change the password on accounts that shared the same password.
- Enable multi-factor authentication where possible on these accounts.
- Change the passwords to unique strong passphrases if multi-factor authentication isn’t available.
Password managers (which can also be used to store passphrases as well) enable good cyber security habits. Having a unique passphrase for every valuable account may sound overwhelming; however, using a password manager to save your passphrases will free you of the burden of remembering which passphrase goes where.
A lot of web browsers provide an in-built password manager. You might have noticed the pop-up window asking to store your password when logging into accounts. Password managers are also sold separately, however, quality and security may vary.
When using a password manager:
- conduct research to ensure the password manager is from a reputable vendor.
- conduct research to ensure the password manager is maintained by the vendor with regular security updates.
- protect the password manager with its own strong and memorable passphrase.
You may choose to keep track of your passphrases in a notebook rather than a password manager. No matter how you keep track of your passphrases, ensure you have a secure storage method.