By The Most Secure Man Alive | WISECLICK Ambassador
I have, on occasion, found someone somewhere they shouldn't be. The approach is always the same — calm, methodical, unhurried. Panic is not useful. A clear list of actions is.
If someone is inside your email account right now, or was recently, this is the page to be on. Work through this list in order. Things will be back under control shortly.
This is a different situation to clicking a suspicious link. Someone has gained access. They may still be there. The next sixty minutes matter.
First — A Breath
This is recoverable.
Email accounts get compromised. It happens to careful people, to cautious people, to people who did everything reasonably right. The question now is not how it happened. It is what you do next.
Work through this list step by step. It is designed to get things back under control quickly.
The First 60 Minutes — In Order
Step 1 — Change your email password immediately
If you can still log in, change the password right now. Use something long and unique — a passphrase works well. Three or four unrelated words, a number, a symbol. Something you have never used before.
If you cannot log in — your password has already been changed by whoever is in there — go straight to the account recovery option for your email provider.
For Gmail: myaccount.google.com/recovery
For Microsoft/Outlook: account.live.com/password/reset
Step 2 — Check what devices are currently logged in
Every major email provider shows you which devices are signed in to your account right now. This is the step most people don't think of — and the most useful for understanding how far this has gone.
For Gmail: myaccount.google.com/device-activity
For Microsoft: account.microsoft.com/devices
Sign out of any device you do not recognise. If you are unsure — sign out of all of them, then sign back in on yours.
Step 3 — Turn on multi-factor authentication
Once you have your account back, do this before anything else.
Multi-factor authentication means that even if someone has your password, they cannot get in without a second confirmation — usually a code sent to your phone. This is the single most effective thing you can do to prevent this happening again.
For Gmail: myaccount.google.com/signinoptions/two-step-verification
For Microsoft: account.microsoft.com/security
Step 4 — Check your sent folder and forwarding rules
When someone gains access to an email account, two things commonly happen. They send emails pretending to be you — often to your clients or contacts, requesting payments or information. And they set up forwarding rules so your emails continue reaching them, even after you've changed your password.
Check your sent folder for anything you did not send. Check your settings for any forwarding rules you did not create. Delete them immediately.
The forwarding rule is the one they rely on to stay hidden. It is worth checking twice.
I find it quietly audacious. I also find it easy to remove.
Step 5 — Change any other account that uses the same password
Start with banking, accounting software, and anything that stores client data. Then work through the rest.
It takes a few minutes, but it closes the remaining doors.
Step 6 — Tell the people who need to know
If your email was used to contact clients, suppliers, or anyone in your network — let them know. A brief, calm message: your email was temporarily accessed by an unauthorised party, any unusual request received from your address should be disregarded, and you have now secured the account.
Do not overcommunicate. Do not speculate about what happened. Just inform and move on.
If you don't have an IT person to call — WISE ASSIST exists for exactly this moment. Not just after the incident. During it.
After the Hour — Three Things to Sort This Week
- Report it. Australian businesses can report cybersecurity incidents to the Australian Signals Directorate via cyber.gov.au. If financial fraud occurred, report it to your bank immediately and to the ACSC's ReportCyber at cyber.gov.au/report.
- Run a check on your other accounts. The site haveibeenpwned.com lets you check whether your email address has appeared in a known data breach. Worth knowing.
- Consider a password manager. The reason people reuse passwords is because remembering unique ones is genuinely difficult. A password manager removes that problem entirely. One strong master password. Every other password unique and unguessable.
How It Probably Happened
You do not need to know this right now. But once things are settled, it is worth understanding.
The most common ways business email accounts are compromised:
- Phishing. An email that looked legitimate — a bank, a supplier, a colleague — asked you to log in somewhere. The page looked right. The credentials went to the attacker.
- Password reuse. A password you used on another site appeared in a data breach. Attackers try those same credentials on email accounts. Frequently it works.
- No multi-factor authentication. With just a password — however strong — an attacker who has it is inside. MFA closes that door.
Email security is one of the eight controls in the ASD Essential 8. Multi-factor authentication is another. Both are there because both matter.
Most breaches are not sophisticated. They're simply unattended.
Once You're Through This
Once things have settled, it is worth checking the rest of your security setup.
Email security is one of eight controls your business should have locked. If you want to know how the other seven are looking, the Essential 8 Gap Assessment gives you a clear picture in thirty minutes. Your maturity level. Your gaps. Your quick wins. Documented in plain English.
The assessment costs $149. The average cyber incident costs $55,000. I find this a fairly straightforward calculation.
Want to know how the rest of your security stacks up?
The Essential 8 Gap Assessment shows you exactly where your business stands — across all eight controls, in plain English.
30 minutes. No tech knowledge needed. $149.
Get My Essential 8 Score — $149 →
I've handled worse. You'll be fine. Stay protected, my friends.
— The Most Secure Man Alive
Get articles like this delivered to your inbox
Frequently Asked Questions
How do I know if my email has actually been hacked?
Common signs: you receive password reset emails you did not request, contacts tell you they received strange messages from you, you cannot log in with your usual password, or you find sent emails you did not write. Any one of these warrants immediate action.
Can I recover emails that were deleted by the attacker?
Often yes. Gmail keeps deleted emails in Trash for 30 days. Microsoft keeps them for up to 30 days in Deleted Items. Check these folders once you have regained control of the account.
Should I contact the police?
If financial fraud has occurred — money transferred, payments redirected — contact your bank immediately and report to the Australian Federal Police at cyber.gov.au/report. For a compromised email without financial loss, reporting to the ACSC is appropriate and useful.
How long did the attacker have access?
Difficult to know without checking your account activity logs. Most providers show a log of login times and locations. Check this once you have secured the account — it will tell you when access began and from where.
Is multi-factor authentication enough to prevent this in future?
It is the single most effective individual control. It does not make an account impossible to compromise — advanced phishing can still capture a session token — but it closes the door on the vast majority of attacks. Combined with a strong unique password, it is significantly more robust.
Leave a comment
This site is protected by hCaptcha and the hCaptcha Privacy Policy and Terms of Service apply.