Checking your email account security
Email is a common target for cybercriminal activity. If someone gains unauthorised access to your email account, they can access your private communications. A cybercriminal could steal your sensitive information, or even commit fraud and send emails pretending to be you.
After any email security incident you should review the security on your account, even if you are not sure that you have been hacked.
Reviewing your account security will help you to identify intruders, regain control of your account, and help prevent cyber attacks in the future.
Step 1: Change your password
If you are concerned that your email account has been hacked, it is important to login to your account as soon as possible. Once logged in, you will be able to disrupt the hacker’s access and regain control of your account.
If you have forgotten your email password, please skip to Step 1A to recover your account.
Changing your password is important when investigating the security of your email account. If a hacker knows your password, changing your password will slow them down and make it harder for them to get access to your account.
1. Once logged in, click on Profile icon (top right) and then click on Manage your Google Account.
2. From the list on the left side of the screen, click Security.
3. Scroll down and click Password. Enter your current password and select a new password.
When choosing a new password, consider creating a passphrase. A passphrase uses four or more random words as your password, which is hard for cybercriminals to hack but easy for you to remember. Find more information on creating strong passphrases.
After you have reset your password, skip to Step 2.
Step 1A: Recover your account
Recovery of your account is only required if you do not remember your email password. Note that this recovery process will require you to confirm your identity by providing either your phone number or recovery email address.
1. Visit www.gmail.com and enter your email address.
2. Click Forgot password?
3. One option to recover your password is to enter the last password you remember using. If you cannot remember a password, click Try another way. Carefully follow the account recovery process and instructions.
Please note that this process will be different from person to person depending on what security measures you have set up. Some account recovery methods may include:
• Providing a code from your MFA app
• Providing a verification code sent to your alternative recovery email address
• Providing a code sent to your mobile phone via SMS
• Inputting the last password you remember
Step 2: Update your account recovery details
In some cases, a cybercriminal might change the recovery details of hacked accounts. They can use this as a back door to regain access to the hacked account even after you have changed your password. Be sure to check your account recovery details are linked to either a recovery email address or recovery mobile phone.
1. From the home screen, click on the Profile icon (top right) and then click on Manage your Google Account.
2. From the list on the left side, click Personal info.
3. Scroll down to the section labelled Contact info.
You can now change your Recovery Email and your Recovery Mobile.
It is important these are changed to new or known email accounts or devices you can access. To change your email, click on Email.
4. Click Recovery email. You will be prompted to re-enter your password for Google to ensure it is you making the changes. You will only be able to choose your Recovery Email once your password has been re-entered.
5. Google will use your recovery email to reach you if unusual activity is detected or you are accidentally locked out. Click the pencil icon. A prompt will open where you can add or update your recovery email.
6. Go back to the Email recovery page (Step 4), and click Advanced.
7. From the options that have appeared, click Alternative emails. It is important you check no unknown or suspicious accounts are listed, as a criminal may use these to access your account. Remove all alternative email accounts to ensure that an alternative email account has not been hacked and is being used to access your email account.
8. To change your phone number, click Phone. You will be prompted to re-enter your password for Google to ensure it is you making the following changes. You will only be able to choose your Recovery Phone number once your password has been re-entered.
9. Google will use your recovery mobile number to reach you if unusual activity is detected or you are accidentally locked out. Click the pencil icon. A prompt will open where you can add or update your recovery mobile number.
Step 3: Sign out of all other sessions
Cybercriminals may be logged in to your email account. By signing out of all sessions, you will remove the cybercriminal from having access to your emails.
To sign out of all sessions, you will need to change your password. If you have already changed your password in Step 1, then you have already completed this step.
If you have not yet changed your password, instructions on how to do this can be found in Step 1.
Step 4: Enable Multi-factor Authentication
Turning on multi-factor authentication (MFA) is the most important defence against hackers gaining access to your Google account.
MFA makes it harder for criminals to gain initial access to your device, account and information by making them jump through more security hoops and additional authentication layers, requiring extra time, effort and resources.
For a more detailed set of instructions, see the ACSC’s Step-by-Step guide Turning on Two-Factor Authentication – Gmail
Step 5: Check account mail settings
Hackers will sometimes set up forwarding rules to send themselves a copy of emails coming in or leaving your account. You should check your account to see if anyone has set up forwarding rules and delete any you don’t recognise.
1. From your inbox, click the Settings icon (cog) and click See all settings.
2. Click the Forwarding and POP/IMAP tab to the right at the top of the page.
POP and IMAP are protocols that allow emails to be accessed through other applications like Apple Mail and Mozilla Thunderbird. Cybercriminals sometimes use these as another method of accessing your account, as it can allow them to bypass some security controls like MFA.
3. Make sure there are no forwarding rules, that POP is disabled, and that IMAP is disabled. This will prevent the criminal who may be forwarding incoming emails, or accessing your account from an app that is logged in. Click Save changes when finished.
4. From the tabs at the top, click the Filters and blocked addresses tab.
5. Check that no unfamiliar filters being applied to incoming emails, or that there are any unusual email accounts that are being blocked. Delete any of these unfamiliar filters or email accounts.
A criminal may have set these up to hide emails from you, especially if customers or contacts have become suspicious and tried to reach out to you.
Step 6: Check third party application access
Have you ever logged into another application or website using your email account, sometimes without needing to put in your password? Many websites and applications opt for this method to create a new user account without having to directly request this information from the user. However, the connection this creates between your email account and the website/application is a common way for hackers to gain access to your email account, without needing your login credentials.
Check if there are any apps or services that have access to your account and remove any that you don’t recognise.
1. Once logged in, click on Profile icon (top right) and then click on Manage your Google Account.
2. From the list on the left side of the screen, click Security.
3. Scroll down to Third-party apps with account access and click Manage third-party access.
4. Scroll down and click Google Account sign-in prompts to ensure the toggle is turned off. Then click the apps listed.
5. It is important to reduce the access by third-party apps to your email account. If a criminal has hacked a third-party app, they may be able to use it to enter your email account.
Click REMOVE ACCESS for each app listed that you didn’t configure yourself. If you’re not sure what apps that might be, remove those you’re not sure about as
they can be reconfigured later if required.
Step 7: Check login activity
Your login activity is a history of when and where someone has logged into your email account. As a good practice, regularly review your login activity to check if your email account has been accessed at unusual times or from unusual locations. By doing so, you will be able to pick up on anything suspicious.
1. From your inbox, go to the bottom right hand corner and click Details.
Here you can check the time and location of the logins into your account to verify that your email account has not been accessed at unusual times or from unusual locations.
If you see any suspicious activity since the last time you changed your password, change your password to a unique strong passphrase immediately.
Here are some things to consider to help you identify suspicious activity:
• The Access Type – is this a device/ browser/application you are familiar with, use or own?
• The Location (IP address) – was the login from a country you are familiar with?
• The Date/Time – does the login date and time seem out of the ordinary?
Step 8: Check your email folders, devices and other accounts
Check email folders
Once you have made sure only authorised persons have access to your email account, you may want to consider checking your email folders, specifically your sent and deleted items. This will help you assess what actions a cybercriminal has taken if they accessed your account.
1. From your inbox, click Sent (triangle icon) to view your sent emails.
Search for emails that you did not send and take note of the recipient, whether attachments were included, what the email was requesting, and when it was sent.
Compare any unusual activity times with the time the email was sent. Verify login records every time you become aware that a criminal contacted someone from your email account.
2. Under the Sent folder on the right, click More to make more folders visible.
3. Undertake the same steps taken for your other folders, especially Drafts, Spam and Bin folders. Verify login records every time you become aware that a criminal
contacted someone from your email account.
Run a malware scan
Malware is any software that is specifically designed to disrupt, damage or gain unauthorised access to a device. Use a malware scanning tool to find and remove any malware detected.
1. Do this using the malware scanning tool on your device. You may already have a malware scanning tool that came with your device. If you don’t know the name of your malware scanning tool, you can search for it.
2. Type the name of the malware scanning tool. Or press the Windows key on your keyboard for Windows 10 and start typing. Suggested search terms: Antivirus, Microsoft Defender.
3. Once you have found your malware scanning tool, follow the instructions to run a scan and delete any malware identified.
While in progress, take notes or photos of any suspicious software applications, files, pop-ups or other key details you encounter.
For more information for Windows 10 users, read the ACSC’s Step-by-Step guide Performing a malware scan using Microsoft Defender Antivirus for Windows 10
Check other linked accounts
If someone has hacked into your email account, they may have tried to reset passwords for other online accounts that are linked to that email address. These could be banking and finance, social media, or other accounts.
If you used the same password or passphrase for your email account and any other accounts, these may be no longer secure. Enable multi-factor authentication where possible on these accounts, and consider changing the passwords to unique strong passphrases.
