'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
us Technology & digital loss email hacked • email forwarding rule • unknown forwarding address • inbox rules i didnt make • mailbox rules changed • filters i didnt set up • auto forwarding enabled • suspicious email settings • account takeover email • someone accessing my inbox • unexpected sign in alert • emails disappearing • sent messages i didnt send • password reset emails missing • recovery email changed • security settings changed • third party access to email • compromised email account • email rules forwarding to stranger What to do if…
What to do if…
you discover new email forwarding rules you did not set up
Short answer
Treat this as an account takeover: remove the forwarding rules, then immediately secure the account (sign out of other sessions, change password, enable multi-factor authentication) using a clean route to your provider.
Do not do these things
- Don’t assume “it’s just a setting” — forwarding rules are often used to capture password resets and sensitive mail.
- Don’t click links in emails to “fix it” — go straight to your provider by typing the address/app yourself.
- Don’t reuse the same password (or any password used on other sites).
- Don’t stop at deleting the rule if it reappears — that usually means the attacker still has access.
- Don’t ignore recovery settings and connected apps — those are common ways attackers regain entry.
What to do now
- Use a clean route in. If possible, use a device you trust (or restart/update), then open your email provider site/app directly (type it in) and sign in.
- Remove the suspicious forwarding and any “hiding” filters/rules.
- Delete unknown forwarding addresses.
- Also remove rules that auto-delete, archive, mark as read, or move messages (especially those matching “security”, “password”, “bank”, “invoice”, “wire”, “gift cards”).
- Sign out everywhere else and remove unknown devices/apps. Use your provider’s security page to sign out of other sessions/devices and remove anything unfamiliar from “devices”, “recent activity”, or “connected apps”.
- Change your password immediately (unique and strong). Do this after removing the rules. If your provider supports it, rotate any app-specific passwords too.
- Turn on MFA and lock down account recovery. Confirm the recovery email/phone are yours, remove anything unfamiliar, and store backup codes somewhere safe if offered.
- Check for signs of misuse.
- Review Sent, Trash/Deleted, and Archived mail for messages you didn’t send or security emails you didn’t request.
- If you see scam messages sent from your account, warn the affected contacts (briefly: “Don’t click; it wasn’t me.”).
- Prevent the fastest follow-on damage: secure linked accounts. Starting with banking/payment apps, your main shopping accounts, and any account where this email is the login, change passwords (especially anywhere you reused the old email password).
- Escalate if identity or money may be involved.
- If you believe your identity is being used (new accounts, tax/benefits issues, credit impacts), use the federal identity-theft site to create a recovery plan.
- If you lost money or this is tied to a scam (including business email compromise), file a complaint with the FBI’s Internet Crime Complaint Center — type ic3.gov yourself and avoid lookalike sites/links from emails.
- If this is a work/school account, contact your IT/security team immediately (they may need to remove rules server-side and review sign-in logs).
What can wait
- You don’t need to prove exactly how the attacker got in before securing the account.
- You don’t need to do a full device overhaul right this minute if you’ve secured the account via a clean route — you can schedule deeper checks after access is stable.
- You don’t need to decide whether to pursue law enforcement beyond reporting unless there’s ongoing loss; first stop access and reset credentials.
Important reassurance
This is a common pattern of email account takeover, and the immediate fix is straightforward: remove the forwarding, lock the account down, and then secure the accounts that depend on that inbox. You’re aiming to stop escalation, not solve everything at once.
Scope note
This covers first steps only. If you can’t keep the rules removed, can’t regain control, or you’re dealing with financial loss/identity theft, you’ll likely need provider support and official reporting follow-through.
Important note
This guide is general information, not legal, financial, or professional security advice. Use only official account-recovery/support channels for your email provider, and seek help promptly if you suspect identity theft or financial fraud.
Additional Resources
- https://consumer.ftc.gov/how-recover-your-hacked-email-or-social-media-account
- https://consumer.ftc.gov/articles/use-two-factor-authentication-protect-your-accounts
- https://www.identitytheft.gov/
- https://www.ic3.gov/CrimeInfo/AccountTakeover
- https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/business-email-compromise