You open your inbox and see messages you didn't send. Or your password suddenly stops working. Or a customer forwards a weird note that came “from you” with a malicious link attached.
That's the moment people freeze.
If you're searching what to do if my email is hacked, the right response isn't to randomly change a password and hope for the best. Email is your recovery channel, your customer communication channel, and in many businesses, your reputation channel. When an attacker gets in, they usually don't stop at reading messages. They look for ways to stay in, impersonate you, and use your trust against everyone connected to that mailbox.
The fix is calm, fast, and methodical. Treat it like a business incident, even if it's “just” a personal account. First contain it. Then remove persistence. Then figure out what happened. Then repair any sender reputation damage the attacker left behind.
That Sinking Feeling When You Realize You're Hacked
A client email lands in your inbox asking why you sent a payment request with a suspicious link. Then you notice messages in Sent that you never wrote, or a login prompt rejects the password you know is right. At that point, this is no longer a minor account problem. It is a live breach of a communication system people trust.
Email sits in the middle of business operations. It touches invoices, approvals, password resets, customer threads, vendor conversations, and marketing platforms. If an attacker gets control of that mailbox, they can read sensitive information, impersonate you, and damage your sender reputation before anyone realizes what happened.
Treat the account like compromised business infrastructure.
That mindset matters because the first mistake I see is hesitation. People spend too long trying to confirm whether the signs are serious enough. Meanwhile, the attacker may be forwarding mail out of the account, resetting access to other tools, or sending phishing messages to customers and coworkers.
The priority is not just getting back into the inbox. The priority is limiting business fallout. A hacked email account can trigger fraud attempts, expose confidential threads, and get your domain flagged by recipient systems if the attacker starts blasting spam from a legitimate address. Password recovery is only one part of the job.
A better response starts with a simple assumption. If there is an unexplained login, missing mail, unknown rules, strange auto-replies, or messages you did not send, act as if the attacker has already read data, changed settings, and tried to stay in the account.
If this mailbox is tied to a business, document the incident from the start and pull in whoever owns IT, legal, or client communications. Good incident handling protects more than the account itself. It protects trust, evidence, and your ability to explain what happened clearly. If you need a management-level framework for that broader response, this guide offers strategic advice to protect your business.
Immediate Containment Your First 15 Minutes
The first job is to stop the bleeding. Not later. Now.
If you still have access, go to your email provider from a trusted device and change the password immediately. Make it long and unique. If you've been locked out, use the provider's official recovery flow instead of trying random workarounds.
What to do first
The FTC's recovery guidance is clear. Update or install trusted security software, run a full scan, delete suspicious software, restart the device, then use the provider's recovery process. That order matters.
Why? Because if malware or a keylogger is sitting on the device, changing your password on the same infected machine can hand the attacker your new password right away.
Use this sequence:
Use a clean device if possible
A phone you trust or a separate laptop is better than the machine you suspect may be compromised.Reset the email password or recover the account
Don't reuse an old password pattern. If the attacker got in once, predictable variations won't save you.Run a full malware scan
Quick scans are better than nothing, but for a live incident, full scans are the safer call.Check recovery details
Look at the recovery email address and phone number. If those were changed, reverse them immediately.Start alerting your internal team
If this is a business inbox, tell whoever manages IT, security, sales ops, or marketing ops. This isn't a private cleanup anymore.
What people often miss
Attackers don't always need your password to stay effective. They may have planted forwarding rules, changed recovery methods, or installed something locally that captures fresh credentials.
The FTC specifically warns users to check email settings for unauthorized forwarding rules after recovery because attackers use them to keep seeing your mail even after a password change. That one detail gets missed constantly.
If your first response is only “change password,” you've probably done half the job.
For business owners, this is also the right moment to open a broader incident checklist. If you need a practical reference for that side of the response, Clouddle's strategic advice to protect your business is useful because it treats this as an operational issue, not just a login problem.
Your first-15-minute priority list
| Priority | Action | Why it matters |
|---|---|---|
| Highest | Regain account access | Stops the attacker from using the inbox in real time |
| High | Scan the device | Removes malware that could steal the new password |
| High | Check recovery options | Prevents the attacker from reclaiming the account |
| High | Review forwarding behavior | Cuts off hidden persistence |
| Medium | Notify internal stakeholders | Prevents customers or coworkers from trusting fake messages |
Regain Full Control and Lock All Doors
Changing the password gets you back inside. It doesn't guarantee the attacker is out.
That's why the next move is session control. Google's account security flow tells users to review recent security events and inspect “Your devices” for unrecognized endpoints. That's exactly what you should do on any major provider.
Revoke every session you don't recognize
Go into the account's security area and review:
Recent sign-in activity
Look for devices, browsers, or locations that don't belong to you.Logged-in devices
Sign out of anything unfamiliar. If you're not sure, sign out of everything.Connected apps
Third-party mail clients and browser extensions sometimes keep access longer than people expect.
The reason this matters is simple. If the attacker is using active sessions or stolen tokens, password changes alone may not remove them. Session revocation forces a fresh login.
Turn on MFA right away
This is not optional.
Once the account is back under your control, enable multi-factor authentication. An authenticator app is usually a stronger choice than relying only on text messages. The point is to require something beyond the password, so stolen credentials alone aren't enough.
A lot of people wait until “later” because they're busy cleaning up the mess. That's backwards. MFA is part of cleanup.
The strongest post-hack move is boring and mechanical. Sign out everywhere, remove unknown access, then require MFA for every future login.
If you use Outlook on desktop and need to sync a fresh credential after recovery, this guide on how to update your Outlook password settings can save time. It's especially helpful when old cached credentials keep causing confusion after you've already reset the account.
What full lockout looks like
A properly locked-down account usually includes these checks:
- Recovery email and phone are yours
- Old sessions are revoked
- Unknown devices are removed
- MFA is enabled
- Mail apps and browser access are reviewed
A short walkthrough can help if you're doing this under pressure:
Once that's done, you've moved from “I changed a password” to “I removed the attacker's footholds.”
The Digital Forensic Investigation You Must Perform
After containment, you need to inspect the damage. This is the part often skipped, and it's where hidden problems survive.
Think like a forensic analyst, not a victim. You're not browsing. You're looking for evidence of what the attacker did, who they contacted, and whether they left a way back in.
Where to look first
Start with the folders attackers abuse most:
Sent Items
Look for messages you didn't send. Pay attention to invoices, password reset requests, “urgent” wire instructions, or short link-heavy messages.Deleted and Trash folders
Attackers often try to hide their own activity.Spam folder
Sometimes replies from confused recipients end up there.
Then move to settings:
- Forwarding rules
- Filters
- Auto-replies
- Delegated mailbox access
- Connected apps and permissions
Microsoft's support guidance, summarized in the verified recovery material you provided, specifically highlights suspicious inbox rules and forwarding settings because attackers use them to redirect mail and maintain visibility after the password changes. That's one of the highest-value checks you can perform.
What the evidence tells you
A few examples make this easier.
If you find sales emails in Sent Items that you never wrote, the attacker may have used your reputation to phish prospects. If you see a forwarding rule sending all finance-related mail elsewhere, they may have been watching invoices or payment conversations. If a CRM or file-sharing app appears in connected permissions and you don't recognize it, the compromise may extend beyond email.
Document what you find. Screenshot settings. Save timestamps. Note which contacts may have received malicious mail. That record helps when you notify customers, coworkers, or providers.
Don't clean first and ask questions later. Capture evidence before you erase it, especially if the account is tied to payments, contracts, or regulated data.
One check marketers often forget
If the hacked account sent mail from your business domain, inspect the domain-level authentication posture too. A compromised mailbox can expose weak policy gaps. If you want to verify DMARC record status, do that during this investigation, not weeks later when inbox placement starts slipping and nobody connects it to the original breach.
A practical review matrix helps here:
| Area | What to inspect | What it may mean |
|---|---|---|
| Sent mail | Unknown outbound messages | Impersonation, phishing, or fraud attempts |
| Rules and filters | New forwarding or deletion actions | Persistent surveillance or evidence hiding |
| Login history | Unfamiliar devices or timing | Scope of unauthorized access |
| App permissions | Unknown third-party tools | Extended compromise path |
| Recovery settings | Changed phone or backup email | Attempted long-term account takeover |
Repairing Your Reputation and Deliverability
Getting the account back is only half the job. If the hacked mailbox sent spam, phishing, or fake invoices, mailbox providers and recipients may still treat your domain like a problem.
That is the part consumer guides usually miss.
For a business, a hacked email account is not just a login incident. It is a reputation incident. Support replies can start landing in junk. Sales outreach can slow down. Billing and account notices may stop reaching customers at the worst possible time. Even after the attacker is gone, the sending history they created can keep hurting you.
A security cleanup closes the breach. A deliverability cleanup repairs trust.
Why sender reputation can drop fast
Mailbox providers react to what they saw. They do not pause filtering because the bad mail came from an attacker.
If recipients marked those messages as junk, if links pointed to suspicious destinations, or if sending volume spiked in a way that looked abusive, your future mail can face stricter filtering. I usually see this show up first in teams that depend on timely replies. Open rates soften, replies drop, and internal teams blame the copy or offer when the actual issue is damaged sender trust.
Kaspersky's hacked email recovery checklist also treats compromise as a wider fallout issue, including contact notification and identity misuse, not just password reset steps, in Kaspersky's hacked email recovery checklist.
Check deliverability before you resume normal sending
Do this before the next campaign, invoice batch, or outbound sequence.
Start with the basics that affect placement:
Authentication alignment
Confirm SPF, DKIM, and DMARC still pass and match the domain you send from.Reputation exposure
Use MailGenius to run a post-incident spam test, then check if your domain is blacklisted so you know whether the compromise reached your sender reputation.Message content and link residue
Review templates, signatures, and tracked links. If the attacker used the same sender identity, recipients and filters may distrust anything that looks similar.Inbox placement on live mailbox providers
Send controlled tests to Gmail, Microsoft, and other providers your customers use. Recovery decisions should be based on placement, not assumptions.
If you need a communications plan for the customer-facing side of cleanup, this article on expert advice on data breach reputation repair is useful because it focuses on restoring trust after an incident.
What helps recover trust
Use a measured approach. Sending at full volume right after a compromise is a common mistake, especially if complaint risk is still high.
| Helps recovery | Causes more damage |
|---|---|
| Testing placement before restarting campaigns | Resuming normal volume the same day access is restored |
| Checking domain and mailbox reputation signals | Assuming a new password fixed inbox placement |
| Warning affected contacts so they stop engaging with bad mail | Staying silent while recipients keep reporting suspicious messages |
| Updating templates, links, and workflows touched by the attack | Reusing the same assets the attacker already burned |
One more practical point. If the hacked account belongs to a founder, salesperson, recruiter, or finance lead, treat their address as high risk for follow-up filtering. Those identities often have the strongest reply history and the highest fraud value. I usually recommend testing those mailboxes first, then restoring lower-risk sending after you know placement is stable.
A hacked mailbox can disrupt revenue long after the security incident looks closed. Repair the sending reputation with the same seriousness you used to lock the account down.
Building Your Fortress A Prevention Playbook
Monday morning, the CEO's mailbox looks normal. By Tuesday, finance is chasing fake wire requests, sales replies are landing in spam, and password resets are hitting tools nobody remembered were connected to email in the first place. That is why prevention has to be treated like infrastructure hygiene, not a one-time security chore.
Repeat compromises usually come from one of three gaps. The attacker kept a back door through a recovery method or connected app. The user went back to risky habits. Or the business never tightened the systems around the mailbox, so one stolen login still opens half the company.
Phishing remains the entry point behind a large share of account takeovers. That matters because prevention is not just about stronger credentials. It is also about reducing the odds that someone approves the wrong login page, opens the wrong attachment, or trusts the wrong internal-looking message under pressure.
The habits that actually reduce risk
Start with the controls that break common takeover paths:
Use unique passwords for every account
A password manager solves the reuse problem better than policy reminders ever will.Keep MFA on for every high-value login
Prioritize email, banking, payroll, CRM, cloud storage, and your domain registrar. If an attacker gets the registrar, they can do far more damage than a mailbox-only compromise.Review recovery settings and active sessions on a schedule
Recovery email addresses, phone numbers, logged-in devices, forwarding rules, and connected apps deserve a recurring check. Quarterly is a good baseline. Monthly is better for leadership, finance, HR, and anyone sending revenue-critical mail.Train users to verify before they click or approve
Phishing awareness works best when it matches the messages your team actually sees, such as invoice requests, shared document prompts, MFA fatigue attempts, and fake internal threads.
A secure mailbox has strong credentials, clean recovery options, limited app access, and a user who slows down when something feels off.
What a business should formalize
For a company, individual caution is not enough. Write the standards down and enforce them.
A workable policy usually includes:
- Mandatory MFA for every employee account that supports it
- Clear incident reporting rules so suspicious activity gets escalated fast
- Access reviews for shared inboxes, former employees, and old SaaS tools
- Phishing drills and examples tied to current attack patterns
- Domain authentication checks for the mail your business sends
That last point matters more than many teams realize. After a compromise, I often find that the mailbox is clean but the sending setup has drifted. SPF is outdated, DKIM broke after a platform change, or a forgotten vendor is still authorized to send. Use an SPF and DKIM checker on a regular schedule so authentication problems are caught before they turn into delivery failures or spoofing opportunities.
The long-view mindset
Email is not a casual utility. It is a control point for identity, revenue, and trust.
If the hacked account belonged to a founder, recruiter, salesperson, or finance lead, tighten standards around that role first. Those mailboxes carry the most social trust, the richest contact history, and the highest fraud value. They also tend to suffer the longest deliverability after-effects if the account was used for spam or impersonation.
The right prevention model is simple. Reduce ways in, reduce ways to persist, reduce ways to pivot, and check the sending environment often enough to catch drift. Do that well, and the next attack is less likely to succeed, less likely to spread, and less likely to damage inbox placement when your business needs email to work.