What to Do If Your Email Is Hacked

I think I could count on one hand the people I know who have NOT had their email hacked. Maybe they found a four-leaf clover when they were kids! Email hacking is one of the very unfortunate downsides of living in our connected, digital world. And it usually occurs as a result of a data breach - a situation that even the savviest tech experts find themselves in.

What is a data breach?

In simple terms, a data breach happens when personal information is accessed, disclosed without permission, or lost. Companies, organisations, and government departments of any size can be affected. Data stolen can include customer login details (email addresses and passwords), credit card numbers, identifying IDs of customers e.g. driver's license numbers and/or passport numbers, confidential customer information, company strategy, or even matters of national security.

Data breaches have made headlines, particularly over the last few years. When the Optus and Medibank data breaches hit the news in 2022 affecting almost 10 million Aussies apiece, we were all shaken. But then when Aussie finance company Latitude was affected in 2023 with a whopping 14 million people from both Australia and New Zealand, it almost felt inevitable that by now, most of us would have been impacted.

The reality is that data breaches have been happening for years. In fact, the largest data breach in Australian history happened in 2019 to the online design site Canva which affected 139 million users globally. In short, it can happen to anyone, and the chances are you may have already been affected.

Your email is more valuable than you think

The sole objective of a hacker is to get their hands on your data. Any information that you share in your email account can be very valuable to them. Why do they want your data, you ask? It's simple really - so they can cash in!

Some will keep the juicy stuff for themselves - passwords or logins to government departments or large companies they may want to 'target' with the aim of extracting valuable data and/or funds. The more sophisticated ones will sell your details including name, telephone, email address, and credit card details to cash in on the dark web. They often do this in batches. Some experts believe they can get as much as AU$250 for a full set of details including credit cards. So, you can see why they'd be interested in you.

The other reason why hackers will be interested in your email address and password is that many of us re-use our login details across our other online accounts. Once they've got their hands on your email credentials, they may be able to access your online banking and investment accounts, if you use the same credentials everywhere. So, you can see why I harp on about using a unique password for every online account!

How big is the problem?

There is a plethora of statistics on just how big this issue is - all of them concerning. According to the Australian Institute of Criminology, of all the country's cybercrime reports in 2024, about 21.9% involved identity theft and misuse. The Australian Bureau of Statistics adds that the identity theft victimisation rate has steadily increased from 0.8% to 1.2% from 2021 to 2024, respectively.

Meanwhile, The Australian Government revealed that at least one cybercrime is reported every 6 minutes, with business email compromise alone costing the national economy up to $84 million in losses. Regardless of which statistic you choose to focus on, we have a big issue on our hands.

How does an email account get hacked?

Hackers use a range of techniques-some highly sophisticated, others deceptively simple-to gain access. It is important to know how these attacks happen so you can stay ahead and prevent them.

• Phishing scams: These are deceptive emails that trick you into entering your login details on a fake website that looks legitimate.
• Data breaches: If a website where you used your email and password gets breached, criminals can use those leaked credentials to try and access your email account.
• Weak or reused passwords: Using simple, easy-to-guess passwords or the same password across multiple sites makes it easy for hackers to gain access.
• Malware: Malicious software like keyloggers can be installed on your computer without your knowledge, capturing everything you type, including passwords.
• Unsecure Wi-Fi networks: Using public Wi-Fi without a VPN can expose your data to criminals monitoring the network.

From email hack to identity theft

Yes, absolutely. An email account is often the central hub of your digital life. Once a cybercriminal controls it, they can initiate password resets for your other online accounts, including banking, shopping, and social media. They can intercept sensitive information sent to you, such as financial statements or medical records.

With enough information gathered from your emails, they can commit identity theft, apply for credit in your name, or access other sensitive services. If you suspect your email was hacked, it's crucial to monitor your financial statements and consider placing a fraud alert with credit bureaus.

Signs that your email has been hacked

• You can no longer log in. The most obvious sign of an email hack is when your password suddenly stops working. Cybercriminals often change the password immediately to lock you out.
• Friends receive strange messages from you. If your contacts report receiving spam or phishing emails from your address that you didn't send, it's a major red flag that someone else has control of your account.
• Unusual activity in your folders. Check your "Sent" folder for messages you don't recognize. Hackers might also set up forwarding rules to send copies of your incoming emails to their own address, so check your settings for any unfamiliar forwarding addresses.
• Password reset emails you didn't request. Receiving unexpected password reset emails for other services (like your bank or social media) is a sign that a hacker is using your email to try and take over your other online accounts.
• Security alerts from your provider. Pay attention to notifications about new sign-ins from unfamiliar devices, locations, or IP addresses. These are often the first warnings that your account has been compromised.

Steps to email recovery

If you find yourself a victim of email hacking, these are a few very important steps you need to take. Fast.

Change your password

Using a separate, clean device, this is the very first thing you must do to ensure the hacker can't get back into your account. It is essential that your new password is complex and totally unrelated to previous passwords. Always use random words and characters, a passphrase with a variety of upper and lower cases, and throw in some symbols and numbers.

I really like the idea of a crazy, nonsensical sentence - easier to remember and harder to crack! But, better still, get yourself a password manager that will create a password that no human would be capable of creating. If you find the hacker has locked you out of your account by changing your password, you will need to reset the password by clicking on the 'Forgot My Password' link.

Update other accounts that use the same password

This is time-consuming, but essential. Ensure you change any other accounts that use the same username and password as your compromised email. Hackers love the fact that many people use the same logins for multiple accounts, so it is guaranteed they will try your info in other email applications and sites such as PayPal, Amazon, Netflix - you name it!

Once the dust has settled, review your password strategy for all your online accounts. A best practice is to ensure every online account has its own unique and complex password.

Sign out of all devices

Most email services have a security feature that lets you remotely log out of all active sessions. Once you've changed your password, signing out from your email account also signs out the hacker and forces them to log-in with the new password, which fortunately they do not know. These, combined with two- or multi-factor authentication, will help you to regain control of your account and prevent further compromise.

Inform your email contacts

A big part of the hacker's strategy is to get their claws into your address book to hook others as well. Send a message to all your email contacts as soon as possible so they know to avoid opening any emails-most likely loaded with malware-that have come from you.

Commit to multi-factor authentication

Two-factor or multi-factor authentication may seem like an additional, inconvenient step to your login, but it also adds another layer of protection. Enabling this means you will need a special one-time-use code to log in, aside from your password. This is sent to your mobile phone or generated via an authenticator app. So worthwhile!

Check your email settings

It is common for hackers to modify your email settings so that a copy of every email you receive is automatically forwarded to them. Not only can they monitor your logins to other sites; they can also keep a watchful eye on any particularly juicy personal information. So, check your mail forwarding settings to ensure no unexpected email addresses have been added.

Also, ensure your 'reply to' email address is actually yours. Hackers have been known to create an email address that looks similar to yours, so that when someone replies, it will go straight to their account, not yours.

Don't forget to check your email signature to ensure nothing spammy has been added, as well as your recovery phone number and alternate email address. Hackers also change these to maintain control. Update them to your own secure details.

Scan your computer for malware and viruses

Regularly scanning your devices for unwanted invaders is essential. If you find anything, please ensure it is addressed, and then change your email password again. If you don't have antivirus software, please invest in it.

Comprehensive security software will provide you with a digital shield for your online life, protecting all your devices - including your smartphone - from viruses and malware. Some services also include a password manager to help you generate and store unique passwords for all your accounts.

Consider creating a new email address

If you have been hacked several times and your email provider isn't mitigating the amount of spam you are receiving, consider starting afresh. Do not, however, delete your old email address because email providers are known to recycle old email addresses. This means a hacker could spam every site they can find with a 'forgot my password' request and try to impersonate you and steal your identity.

Your email is an important part of your online identity so being vigilant and addressing any fallout from hacking is essential for your digital reputation. Even though it may feel that getting hacked is inevitable, you can definitely reduce your risk by installing some good-quality security software on all your devices.

Trusted and reliable comprehensive security software will alert you when visiting risky websites, warn you when a download looks dodgy, and block annoying and dangerous emails with anti-spam technology. It makes sense really - if you don't receive the dodgy phishing email - you can't click on it. Smart!

Finally, don't forget that hackers love social media - particularly those of us who overshare on it. So, before you post details of your adorable new kitten, remember it may just provide the perfect clue for a hacker trying to guess your email password!

Report the incident

Reporting an email hack is a crucial step to create a necessary paper trail for disputes with banks or credit agencies. When reporting, gather evidence such as screenshots of suspicious activity, unrecognized login locations and times, and any phishing emails you received. This information can be vital for the investigation.

• Your email provider: Use their official support or recovery channels immediately. They can help you investigate and regain control of your account. Do not use links from suspicious emails claiming to be from support.
• Financial institutions: If you've disclosed sensitive financial information or use the email for banking, contact your bank and credit card companies immediately. Alert them to potential fraud and monitor your statements.
• Friends, family, and contacts: Send a message to your contacts warning them that your account was compromised. Advise them not to open suspicious messages or click on links sent from your address during that time.
• Your employer: If it's a work email, or if your personal email is used for work purposes, notify your IT department immediately. They need to take steps to protect company data and systems.
• Relevant authorities: For financial loss or identity theft, you can report the incident to authorities like the FBI's Internet Crime Complaint Center or Action Fraud in the UK. This creates an official record and aids in wider law enforcement efforts.

Check if online accounts linked to your email were compromised

• Prioritize critical accounts: Immediately check your online banking, financial, and government-related accounts. Review recent activity for any unauthorized transactions or changes.
• Review social media and shopping sites: Check your social media for posts or messages you didn't send. Review your online shopping accounts like Amazon for any purchases or address changes you don't recognize.
• Enable alerts: Turn on login and transaction alerts for your sensitive accounts. This will give you real-time notifications of any suspicious activity in the future.

Should you delete your hacked email account?

Generally, no. Deleting the account can cause more problems than it solves. Many online services are linked to that email, and deleting it means you lose the ability to receive password reset links and security notifications for those accounts.

More importantly, some email providers recycle deleted addresses, meaning a hacker could potentially re-register your old email address and use it to impersonate you and take over your linked accounts.

The better course of action is to regain control, thoroughly secure the account with a new password and multi-factor authentication, and clean up any damage. Only consider migrating to a new email address after you have fully secured the old one.

Future-proof your email after reclaiming control

• Run a full security scan: Before doing anything else, run a comprehensive scan with a trusted antivirus program on all your devices to ensure no malware or keyloggers remain.
• Double-check security settings: Confirm that your recovery email and phone number are correct and that multi-factor authentication is enabled, preferably using an authenticator app rather than SMS.
• Review account permissions: Check which third-party apps and websites have access to your email account. Revoke access for any service you don't recognize or no longer use.
• Set periodic reminders: Make it a habit to review your account's security logs and settings every few months to catch any potential issues early.

• Learn to spot phishing: Be skeptical of unsolicited emails asking for personal information or creating a sense of urgency. Check the sender's address and hover over links before clicking.
• Keep software updated: Regularly update your operating system, web browser, and security software to protect against the latest vulnerabilities.
• Secure your devices: Use comprehensive security software like McAfee+ on all your devices-computers, tablets, and smartphones-to protect against malware, viruses, and risky websites.

Provider-specific email recovery

Each email provider has a specific, structured process for account recovery. It is vital to only use the official recovery pages provided by the service and be wary of scam websites or third-party services that claim they can recover your account for a fee. Below are the official steps of the major providers that you can follow.

Gmail

1. Go to Google's official Account Recovery page.
2. Enter your email address and follow the on-screen prompts. You will be asked questions to confirm your identity, such as previous passwords or details from your recovery phone number or email.
3. Once you regain access, you will be prompted to create a new password.
4. Immediately visit the Google Security Checkup to review recent activity, remove unfamiliar devices, check third-party app access, and enable 2-step verification.

Yahoo email

1. Navigate to the Yahoo Sign-in Helper page.
2. Enter your email address or recovery phone number and click "Continue."
3. Follow the instructions to receive a verification code or account key to prove your identity.
4. Once verified, create a new, strong password.
5. After regaining access, go to your Account Security page to review recent activity, check recovery information, and turn on 2-step verification.

Outlook or Hotmail

1. Go to the official Microsoft account recovery page.
2. You'll need to provide your email, phone, or Skype name, and verify your identity using the security information linked to your account.
3. If you cannot access your recovery methods, you will be directed to an account recovery form where you must provide as much information as possible to prove ownership.
4. After resetting your password, visit your Microsoft account security dashboard to review sign-in activity, check connected devices, and enable two-step verification.

Final thoughts

Your email account is the master key to your digital kingdom, and protecting it is more critical than ever since many of your other accounts are connected with your email. Realizing "my email has been hacked" is a stressful experience, but taking swift and correct action can significantly limit the damage.

By following the recovery steps and adopting strong, ongoing security habits like using a password manager and enabling multi-factor authentication, you can turn a potential crisis into a lesson in digital resilience. Stay vigilant, stay proactive, and keep your digital front door securely locked.

To add another wall of defense, consider investing in a trusted and reliable comprehensive security software like McAfee+. Our solution will help you dodge hacking attempts by alerting you when visiting risky websites, or downloading questionable apps, and blocking malicious emails with anti-spam technology.