'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
uk Technology & digital loss email hacked • unexpected auto replies • automatic reply not mine • autoresponder turned on • out of office sending • ooo reply sent • vacation responder on • mailbox rules changed • email forwarding added • account takeover • suspicious sign-in • hacked gmail • hacked outlook • compromised email account • email replying to strangers • spam auto response • unknown filters in inbox • email sending messages itself • someone in my email What to do if…
What to do if…
your email account starts sending automatic replies you did not set up
Short answer
Treat this as a likely account compromise. From a trusted device, secure the account now: disable the auto-reply, remove any unknown rules/forwarding, change your password, and sign out of other sessions.
Do not do these things
- Don’t keep replying from the compromised account to “explain” — it can confirm your address and spread scams.
- Don’t click links in “security alert” emails unless you reach the provider by typing the address/app yourself.
- Don’t just change the password and stop there — hidden forwarding/rules can keep the attacker in control.
- Don’t delete everything in panic — you may need messages/settings as evidence for recovery/support.
What to do now
- Switch to a safer setup first. If you can, use a different device you trust (or a private browser window) and a known network (home data/Wi-Fi). If your device might be infected, prioritise account security from a different device.
- Sign in directly to your email provider (don’t use email links). Go to your provider’s account/security area.
- Turn off what’s actively sending replies.
- Disable “vacation responder/out of office/automatic replies”.
- Then check mail rules/filters and remove anything you didn’t create (especially anything that auto-replies, hides messages, or marks mail as read).
- Check and remove hidden access paths.
- Look for forwarding, “redirect”, “send a copy to”, “delegate access”, “mailbox sharing”, or “connected accounts”.
- Remove any unknown forwarding addresses, delegates, or third-party app connections you don’t recognise.
- Change your password and sign out other sessions.
- Set a new, unique password (not used anywhere else).
- Use your provider’s option to sign out of other devices/sessions or revoke access for devices/apps you don’t recognise.
- Turn on 2-step verification (2SV) and lock down recovery options.
- Enable 2SV (an authenticator app or security key is generally stronger than SMS where available).
- Check your recovery email/phone and remove anything you didn’t add.
- Check what else your email can unlock.
- If this email is used to sign in to other services (banking, shopping, social), change those passwords too—starting with the most sensitive.
- Watch for unexpected password reset emails or new-device alerts.
- Warn people quickly, using a different channel.
- Text/call close contacts or message via another trusted account: “My email may have been compromised. Don’t trust recent replies/links from it.”
- Report any phishing that may have triggered this.
- Forward suspicious emails to report@phishing.gov.uk (then delete the original).
- If money was lost or you need a formal report, use the UK reporting route.
- England, Wales, Northern Ireland: report cyber crime/fraud via Report Fraud (reportfraud.police.uk) or call 0300 123 2040.
- Scotland: report to Police Scotland via 101 (use 999 if there’s immediate danger).
What can wait
- You don’t need to figure out how it happened right now.
- You don’t need to clean up every old email immediately.
- You don’t need to decide about replacing devices unless signs point to device infection (focus first on account control).
Important reassurance
This is a common pattern in account takeovers: attackers add auto-replies, rules, or forwarding so they can keep access and trick others. Securing the account and removing unknown rules usually stops the behaviour quickly.
Scope note
These are first steps to stop ongoing harm and regain control. If this is a work/school account, you may also need your IT/admin team because they can see server-side rules and sign-in logs you can’t.
Important note
This guide is general information for urgent first steps, not legal or professional advice. If you can’t regain access or you suspect wider compromise, use your provider’s official recovery process and consider getting qualified IT help.
Additional Resources
- https://www.ncsc.gov.uk/guidance/recovering-a-hacked-account
- https://www.ncsc.gov.uk/collection/phishing-scams/report-scam-email
- https://www.gov.uk/report-suspicious-emails-websites-phishing
- https://www.reportfraud.police.uk/
- https://support.google.com/accounts/answer/6294825?hl=en
- https://support.microsoft.com/en-us/account-billing/what-happens-if-there-s-an-unusual-sign-in-to-your-account-eba43e04-d348-b914-1e95-fb5052d3d8f0