'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
uk Technology & digital loss email hacked • account takeover • unknown emails sent • sent folder unknown messages • spam sent to contacts • email compromise • mailbox rules changed • email forwarding enabled • strange bcc recipients • mass email from my account • someone using my email • google mail hacked • outlook account hacked • password stolen • suspicious sign-in • unexpected login alert • recovery email changed • oauth app access • phishing fallout What to do if…
What to do if…
your sent folder shows emails you do not recognise sent to many recipients
Short answer
Assume your email account is compromised: regain control immediately by signing out other sessions, changing the password, and removing any forwarding/rules so the attacker can’t keep sending or reading your mail.
Do not do these things
- Don’t reply to the suspicious sent emails from the compromised account (it can confirm the account is active and may trigger more abuse).
- Don’t click any links inside copies/forwards of the suspicious sent emails (including “unsubscribe” links) or in related bounce-back messages.
- Don’t just change your password and stop there — attackers often stay in via forwarding rules, app access, or active sessions.
- Don’t send sensitive documents or passwords from the account “to test it”.
- Don’t delete everything in panic; keep enough details (dates, subjects, recipients) in case you need support from your provider, employer, bank, or fraud reporting.
What to do now
- Stop the bleed (30–60 seconds): If you can still log in, use your provider’s “sign out of all devices/sessions” option (or equivalent). If you can’t find it quickly, continue anyway.
- Change the password from a safer device: Use a device you trust (or a different device than usual). Set a new, unique password (not reused anywhere).
- Turn on 2-step verification (2FA) right away: Prefer an authenticator app or a physical security key if you have one.
- Remove attacker persistence inside the mailbox:
- Check mailbox rules/filters and delete anything you didn’t create (especially rules that auto-forward, auto-delete, or move messages to obscure folders).
- Check forwarding settings and remove any unfamiliar forwarding address.
- Check connected apps / “sign in with…” access and revoke anything you don’t recognise.
- Secure recovery routes (so you don’t get locked out again):
- Confirm your recovery email and phone number are yours.
- Remove any unfamiliar recovery options.
- Regenerate backup/recovery codes (if offered) and store them safely.
- Check the wider damage (do this next, not later):
- Search your inbox for “password reset”, “security alert”, “new sign-in”, “forwarding”, “rule”, plus names of banks, payments, shopping, and cloud services you use.
- If you see resets/alerts for other services, change those passwords too (starting with banking, payments, shopping, and social accounts), and add 2FA where possible.
- Warn the people most at risk (from a safe channel): Text/call close contacts and anyone who might act on urgent requests (payments, gift cards, invoices). Ask them to ignore links/attachments from you until you confirm by phone.
- Report the scam and any resulting fraud:
- If you’ve received related phishing emails, forward them to report@phishing.gov.uk.
- If you’ve lost money, shared financial details, or your account takeover led to fraud, report it via Report Fraud / Action Fraud (and if you’re in Scotland you may be directed to Police Scotland via 101).
- If this is a work/school account: Contact your IT/helpdesk immediately. Ask them to check for: sign-in logs, mailbox rule changes, forwarding, and any suspicious third-party access.
What can wait
- You don’t need to figure out “who did it” or why right now.
- You don’t need to send a perfect message to everyone immediately — prioritise the few people most likely to be harmed.
- You don’t need to wipe devices today unless you have strong reason to suspect malware; focus first on account control (sessions, password, rules, recovery).
Important reassurance
This happens to careful people — mass-sent messages are a common sign of account takeover. Taking control of sessions, rules/forwarding, and recovery options usually stops the immediate harm quickly.
Scope note
These are first steps to stabilise the situation and prevent irreversible mistakes. If money, work systems, or sensitive data are involved, you may need specialist help (IT/security support, your bank, and fraud reporting).
Important note
This is general information, not legal or professional advice. If you feel unsafe, threatened, or are experiencing ongoing fraud, get help promptly from your provider, employer IT, and relevant UK reporting channels.
Additional Resources
- https://www.ncsc.gov.uk/guidance/recovering-a-hacked-account
- https://www.ncsc.gov.uk/collection/phishing-scams/report-scam-email
- https://www.gov.uk/report-suspicious-emails-websites-phishing
- https://www.reportfraud.police.uk/phishing/
- https://www.reportfraud.police.uk/
- https://www.actionfraud.police.uk/report-phishing