Email Account Compromise

An Email Account Compromise (EAC) is a type of cyber-attack where a scammer or hacker gains unauthorised access to someone's email account. Once the attacker has access to the account, they can use it for a variety of malicious purposes. A compromised email account could result in it being used to send fraudulent emails. If it happens to you, your contact list could be exploited, and bogus accounts could also be created to impersonate you.

What is email account compromise?

When an attacker gets into your email account, they might:

Send fraudulent emails from your email address
Set up auto-forwarding so they receive copies of your emails
Change your security settings – password, recovery email/phone, or multi-factor authentication
Use your mailbox to access other accounts by triggering password resets

How do email accounts get compromised?

Common routes into email accounts include:

Phishing: tricking you into entering your password on a fake sign-in page
Password reuse: attackers try leaked passwords from other breached (credential stuffing)
Weak passwords or password guessing
Malware on a device (e.g. a keylogger)
Social engineering: persuading you to share a code, approve a sign-in, or reveal personal information

Signs your email may be compromised

You might notice:

Emails in your “Sent” folder that you don’t recognise
People telling you they received unusual emails from you
Password reset or sign-in alerts that you didn’t request
Missing emails, or messages being moved to strange folders
New inbox rules, filters, or auto-forwarding you didn’t set up

What to do if you think your email account has been compromised

Act quickly. These steps help you regain control and reduce the impact:

1) Change your password (and any reused passwords)

Change the password for your email account immediately. Use a strong, unique password.

If you have used the same (or similar) password anywhere else, change those passwords too – especially for banking, shopping, and social media accounts.
If your provider offers it, sign out of all devices/sessions after changing the password, so any attacker sessions are ended.

2) Remove unfamiliar auto-forwarding rules and inbox filters

Attackers often create rules that forward, delete, or hide emails to keep access and avoid detection. Check your mailbox setting for:

Auto-forwarding (forward all mail, or forward selected mail).
Inbox rules/filters that move messages to other folders
Rules that delete messages or mark them as read.
Disable and delete any rule you did not create. Then check again after a few minutes to ensure it does not reappear.

3) Check and secure your recovery information

Review your account security settings and confirm that your recovery options are correct.

Set a recovery email address and/or phone number that you control (if your provider supports it).
Remove any unfamiliar recovery email addresses, phone numbers, devices, or sign-in methods.
If you see changes you didn’t make, update them immediately and review your recent sign-in activity.

4) Tell people who might be affected

Let your contacts and any relevant colleagues/customers know your account may have been compromised.

Use a trusted method to contact them – e.g. phone, text, or a separate trusted email account.
Ask them to be cautious of recent messages from your account, and not to click links, open attachments, or pay invoices based on those emails.
If the compromised email account is used for work, contact your IT department.

5) Ensure multi-factor authentication (MFA) is enabled

Enable MFA on your email account and any other important accounts.

Use an authenticator app, passkeys, or hardware security key where possible. Avoid SMS if other options are available.
Remove any unfamiliar devices (and any old devices you no longer have access to) or authenticator registrations.

If you can't access your email account

Use your email provider’s account recovery process as soon as possible. This is usually available from their help pages.

If recovery options were changed by an attacker, follow the provider’s steps to prove your identity and regain access.
If you can’t recover the account, contact the provider’s support to request closure and then update your email address on any services that used it.
Guidance on changing to a new email account can be found here: https://csc.gov.im/advice-guidance/changing-or-closing-an-email-account-simple-security-tips/

How to reduce the risk of future compromises

Once you’re back in control, consider these protective steps:

Use a unique password for email and consider a password manager to generate and store strong passwords.
Keep devices and apps updated.
Be cautious with unexpected links and attachments and verify unusual requests using a different method – e.g. a phone call.
Enable MFA across your most important accounts – email, banking, social media.
Regularly review account security settings – recovery options, connected apps, devices, and recent sign-ins.

Downloadable documents

A Guide to Email Account Compromise Infographic (PDF)

Page last reviewed - 27/01/2026.