'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
uk Technology & digital loss email hacked • email forwarding rule • unknown forwarding address • inbox rules i didnt make • mailbox rules changed • filters i didnt set up • auto forwarding enabled • suspicious email settings • account takeover email • someone accessing my inbox • unexpected sign in alert • emails disappearing • sent messages i didnt send • password reset emails missing • recovery email changed • security settings changed • third party access to email • compromised email account • email rules forwarding to stranger What to do if…
What to do if…
you discover new email forwarding rules you did not set up
Short answer
Assume your email account has been accessed by someone else: remove the forwarding rules, then immediately secure the account (sign out of other sessions, change password, turn on 2-step verification) from a clean device.
Do not do these things
- Don’t keep using the same inbox normally “until later” — forwarding rules are often used to intercept password resets.
- Don’t change settings while you’re clicking through links in suspicious emails — go to your provider by typing the address/app yourself.
- Don’t reuse an old password or a password you’ve used anywhere else.
- Don’t assume deleting the rule is enough if it reappears — treat that as ongoing access.
- Don’t ignore recovery options (backup email/phone) — attackers often change these to regain entry.
What to do now
- Use a clean route in. If you can, use a device you trust (or restart and install updates), then open your email provider by typing the address or using the official app — not via email links.
- Remove the suspicious forwarding and any “hiding” rules.
- Delete any forwarding addresses you don’t recognise.
- Also check for rules/filters that auto-delete, archive, mark as read, or move messages (especially “security”, “password”, “bank”, “invoice”).
- Sign out of other sessions and revoke access. Use your provider’s security page to sign out of other devices/sessions and remove any unknown devices. Revoke access for any unfamiliar “connected apps” or third-party mail access.
- Change your email password immediately (and make it unique). Do this after removing the rules. If your provider offers it, also change any app passwords/security questions tied to the mailbox.
- Turn on 2-step verification (2SV) and lock down recovery options. Confirm your recovery email address and phone number are yours, remove anything unfamiliar, and save backup codes if offered.
- Check for misuse and stop the most likely follow-on harm.
- Look in Sent, Deleted/Trash, and Archive for messages you didn’t send or that look like password resets.
- If this inbox is used for banking/shopping/benefits/work logins, go to the most important linked accounts and change passwords there too, starting with any that share the old email password.
- If this is a work/school account, tell your IT/security team now. Your admin may need to remove rules server-side and review sign-in logs.
- Report and contain if fraud is involved.
- If you received a suspicious email linked to this, forward it to report@phishing.gov.uk (don’t click links or open attachments).
- If you’ve lost money, suspect fraud, or the compromise is ongoing: England/Wales/Northern Ireland report via the national fraud/cyber reporting service (Report Fraud / Action Fraud). Scotland: contact Police Scotland (101 or their online reporting).
- If you are in immediate danger, call 999.
What can wait
- You don’t need to figure out how they got in right now — first stop access and forwarding.
- You don’t need to message every contact immediately unless you see emails were sent from your account.
- You don’t need to do a full device “deep clean” right away if you’ve secured the account from a clean route — you can schedule deeper checks after you regain control.
Important reassurance
Finding forwarding rules you didn’t create is a common, fixable sign of account takeover. The goal right now is to cut off access and prevent password resets being intercepted — you can work out the wider impact after you’re back in control.
Scope note
This is first steps only — once your account is stable, you may still want provider support and (for serious fraud/identity issues) specialist advice.
Important note
This guide is general information, not legal, IT, or financial advice. If you can’t keep the rules deleted, can’t regain access, or you suspect fraud is active, use your email provider’s official account-recovery/support and report through the appropriate UK channels.