Checking your email account security Email is a common target for cybercriminal activity. If someone gains unauthorised access to your email account, they can access your private communications. A cybercriminal could steal your sensitive information, or even commit fraud and send emails pretending to be you. After any email security incident you should review the security on your account, even if you are not sure that you have been hacked. Reviewing your account security will help you to identify intruders, regain control of your account, and help prevent cyber attacks in the future. Step 1: Change your password If you are concerned that your email account has been hacked, it is important to login to your account as soon as possible. Once logged in, you will be able to disrupt the hacker’s access and regain control of your account. If you have forgotten your email password, please skip to Step 1A to recover your account. Changing your password is important when investigating the security of your email account. If a hacker knows your password, changing your password will slow them down and make it harder for them to get access to your account. 1. Visit https://account.microsoft.com and enter your email address and click Next. 2. Enter your password. 3. Once logged in, click on Profile icon (top right) and then click on My Microsoft Account or My Account. 4. On the top menu bar, click on Security. 5. Under Security Basics, on the Password Security tile, click on Change my password. 6. Enter your current password, your new password, confirm and click Save. By changing your password, all other sessions will be prompted for the new password. However, this does take a few minutes. When choosing a new password, consider creating a passphrase. A passphrase uses four or more random words as your password, which is hard for cybercriminals to hack but easy for you to remember. Find more information on creating strong passphrases. After you have reset your password, skip to Step 2: Update your account recovery details. Step 1A: Recover your account Recovery of your account is only required if you do not remember your email password. Note that this recovery process will require you to confirm your identity by providing either your phone number or recovery email address. 1. Visit https://account.microsoft.com and enter your email address and click Next. 2. Click Forgot password. 3. If you have access to an external Email or Mobile phone to receive the recovery code, click on the appropriate method and proceed to Step 4 of 1A. If you don’t have access to any of these click on I don’t have any of these and proceed to Step 5 of 1A. 4. If you have a recovery code, enter it and click Use recovery code. Proceed to Step 2: Update your account recovery details (page 10). 5. If you do not have any recovery accounts of a recovery code, click on No which will begin the application process to recover your email address. You may be required to provide an alternative email address to which a recovery code/email will be sent to and to complete an audio or visual CAPTCHA. Provide as much information as possible as this will help you recover your account. It may take several days or weeks to receive an outcome as your request is reviewed. Step 2: Update your account recovery details In some cases, a cybercriminal might change the recovery details of hacked accounts. They can use this as a back door to regain access to the hacked account even after you have changed your password. Be sure to check your account recovery details are linked to either a recovery email address orrecovery mobile phone. 1. Click on your Profile in the top right corner and click on My Microsoft Account or My Account. 2. Click on Security in the Top menu bar. You may have to enter your password again to verify you can make changes to sensitive info. 3. Under Security Basics, on the Advanced security options or Security contact info tile, click Get started or Update my info. 4. Review the recovery details and click Remove for any security contact info you want to remove. Note – if only one recovery mechanism is listed, and it is the one you want to delete, you will need to add a valid recovery mechanism first. To do this click Add Security info. For Outlook this can either can be a mobile number or an alternative email address. Step 3: Sign out of all other sessions Cybercriminals may be logged in to your email account. By signing out of all sessions, you will remove the cybercriminal’s access to your emails. 1. Click on your Profile icon in the top right corner and click on My Microsoft Account or My Account. 2. Click on Security in the top menu bar. You may have to enter your password again to verify you can make changes to sensitive info. 3. Under Security Basics, on the Advanced security options or Security contact info tile, click Get started or Update my info. 4. Scroll down to Sign me out and click on the Sign me out button. You will be prompted again to confirm whether or not you want to sign out. Click Sign me out. Note that all account sessions on all browsers and devices will be signed out within 24 hours. Once completely signed out of all sessions and devices, sign back in again using your device to continue securing your Microsoft account. Step 4: Enable multi-factor authentication Turning on multi-factor authentication (MFA) is the most important defence against hackers gaining access to your Microsoft account. MFA makes it harder for criminals to gain initial access to your device, account and information by making them jump through more security hoops and additional authentication layers, requiring extra time, effort and resources. For a more detailed set of instructions, see the ACSC’s Step-by-Step guide Turning on Two-Factor Authentication – Microsoft Accounts. Step 5: Check account mail settings Hackers will sometimes set up forwarding rules to send themselves a copy of emails coming in or leaving your account. You should check your account to see if anyone has set up forwarding rules and delete any you don’t recognise. 1. Click on the Settings (cog icon) in the top right corner. 2. Scroll down and click on View all Outlook settings. 3. In the Mail side bar menu, click on Rules in the sub-menu and view all the rules. To remove any rules, click the delete icon (trash icon) and click OK. 4. Check to see if any of your emails are being accessed by any suspicious external email clients or applications via POP or IMAP1. These are two methods used to access your email externally. Click on Sync Email in the sub-menu and scroll down to view POP and IMAP. These should either be disabled or refer to a Server relating to Outlook or Microsoft Office. 5. From here you can check to see if any of your emails are being forwarded to another account. Click on Forwarding in the sub-menu, check the Enable Forwarding is unticked, or if forwarding is turned on, it is to an account you expected. If forwarding is turned on to an account you don’t recognise then turn it off by unticking the box. 6. To use “Manage how you sign in to Microsoft” to see if there are any unusual account aliases still associated to your account, first go to My Microsoft Account or My Account. 7. Then click on Your info. 8. Then go to Manage how you sign in to Microsoft. 9. Here, you will be able to manually remove any suspicious email addresses or phone numbers by clicking the Remove button. Step 6: Check third party application access Have you ever linked your Microsoft or Xbox Live account to a third party service? Many websites and applications opt for this method to create a new user account without having to directly request this information from the user. However, the connection this creates between your Microsoft account and the website/application is a common way for hackers to gain access to your email account, without needing your login credentials. Check if there are any apps or services that have access to your account and remove any that you don’t recognise. 1. Click on your Profile icon (top right), click on My Microsoft Account or My Account. 2. Click on Privacy in the top menu bar. 3. Scroll down to Other Privacy options and under Apps and Services, click on Apps and Services that can access your data. 4. This lists all the apps that can access data related to your account. Click Edit, then click Remove these permissions for any that you didn’t configure yourself. Step 7: Check login activity Your login activity is a history of when and where someone has logged into your email account. Regularly review your login activity to check if your email account has been accessed at unusual times or from unusual locations. 1. Click on your Profile icon (top right), click on My Microsoft Account or My Account. 2. Click on Security in the top menu bar. You may have to enter your password again to verify you can make changes to sensitive info. 3. Under Security Basics, on the Sign-in activity tile, Click View my activity. 4. Here you can check the time and location of the logins into your account to verify that your email account has not been accessed at unusual times or from unusual locations. If you see any suspicious activity since your last password change, click on the drop down arrow for that session and click Secure your account to change your password. Consider using a unique strong passphrase as your password. Here are some things to consider to help you identify suspicious activity: • The Device/platform – is this a device you are familiar with or own? • The Browser/app – is this something you use? • The Date/Time – does the login date and time seem out of the ordinary? • The IP address – was the login from a country you are familiar with? Note that if you do go ahead and Secure your Account, you will need to verify your identity and change your password. This will also automatically log you out of all other existing sessions. Step 8: Check your email folders, devices and other accounts Check email folders Once you have made sure only authorised persons have access to your email account, you may want to consider checking your email folders, specifically your sent and deleted items. This will help you assess what actions a cybercriminal has taken if they accessed your account. 1. To check sent items, click on Sent items in the side menu. Search for emails that you did not send and take note of the recipient, whether attachments were included, what the email was requesting, and when it was sent. Compare any unusual activity times with the time the email was sent. Check login activity (page 20) every time you become aware that a criminal contacted someone from your email account. 2. To check deleted items, click on Deleted items in the side menu. You can recover deleted items by clicking on Recover items deleted from this folder. Undertake the same steps taken for your other folders, especially Drafts, Spam and other folders. Run a malware scan Malware is any software that is specifically designed to disrupt, damage or gain unauthorised access to a device. Use a malware scanning tool to find and remove any malware detected. 1. Do this using the malware scanning tool on your device. You may already have a malware scanning tool that came with your device. If you don’t know the name of your malware scanning tool, you can search for it. 2. Type the name of the malware scanning tool. Or press the Windows key on your keyboard for Windows 10 and start typing. Suggested search terms: Antivirus, Microsoft Defender. 3. Once you have found your malware scanning tool, follow the instructions to run a scan and delete any malware identified. While in progress, take notes or photos of any suspicious software applications, files, pop-ups or other key details you encounter. For more information for Windows 10 users, read the ACSC’s Step-by-Step guide Performing a malware scan using Microsoft Defender Antivirus for Windows 10 Check other linked accounts If someone has hacked into your email account, they may have tried to reset passwords for other online accounts that are linked to that email address. These could be banking and finance, social media, or other accounts. If you used the same password or passphrase for your email account and any other accounts, these may be no longer secure. Enable multi-factor authentication where possible on these accounts, and consider changing the passwords to unique strong passphrases.