Five Flags of Email Hacking — how to spot trouble before it blows up

Email is the front door to your online life. When it’s compromised, attackers can sweep through your finances, accounts, and reputation. Here are five clear red flags that someone’s messing with your inbox — what each means, how to check it, and exactly what to do next.

1) Unfamiliar sign-ins — strange IPs, locations or devices

What it looks like: Login alerts from cities you’ve never visited, sign-ins from unknown devices, or “New device” emails you didn’t trigger.

Why it matters: Attackers often reuse credentials and log in from different regions. One successful login can let them change settings or request password resets elsewhere.

Quick checks & actions

• Review account activity (Gmail: Manage your Google Account → Security → Your devices / Recent security events; Outlook: View account activity).

• Sign out all devices and revoke sessions.

• Change your password immediately and enable MFA (prefer an authenticator app or hardware key).

• If you see multiple logins, assume compromise and follow the full recovery checklist below.

2) Unexpected password reset or MFA change notices

What it looks like: Emails saying “Password changed”, “We reset your password”, or “Two-factor removed” that you didn’t request.

Why it matters: Attackers try to lock you out by changing recovery methods and removing MFA. These notifications often arrive before full takeover.

Quick checks & actions

• Don’t click links in the notification. Go directly to the provider’s website and verify settings.

• Check recovery email/phone and security questions — restore them to your control.

• Re-enable MFA and review backup codes (store them securely).

• If the provider locked you out, use their account recovery process and provide proof of identity if required.

3) New forwarding rules or unknown filters

What it looks like: Incoming emails are disappearing, or there are auto-forward rules you didn’t create (e.g., all mail forwarded to unknown@attacker.com).

Why it matters: Attackers install rules to stealthily receive copies of your mail so you don’t notice other changes or alerts.

Quick checks & actions

• Inspect mail rules/filters (Gmail: Settings → Filters and Blocked Addresses; Outlook: Settings → Mail → Rules).

• Remove any forwarding addresses or rules you didn’t create.

• Check auto-replies (out-of-office) that might be exposing info.

• After removing rules, change password and enable MFA — attackers often set rules before changing credentials.

4) Sent messages you didn’t send or bounced messages about emails you never sent

What it looks like: Your contacts tell you they got weird messages from you, or you see “undeliverable” bouncebacks for messages you never composed.

Why it matters: Compromised accounts are used to send phishing or spam; this damages reputation and can lead to blacklisting.

Quick checks & actions

• Check your Sent folder and Trash for unfamiliar messages.

• Scan your mail for mass outgoing activity (search for high volume or repetitive content).

• Inform your contacts (briefly) not to click suspicious links from your address.

• Run a full malware scan on your devices — attackers may be harvesting credentials via keyloggers.