'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
us Technology & digital loss email hacked • unexpected auto replies • automatic reply not mine • autoresponder turned on • out of office sending • ooo reply sent • vacation responder on • mailbox rules changed • email forwarding added • account takeover • suspicious sign-in • hacked gmail • hacked outlook • compromised email account • email replying to strangers • spam auto response • unknown filters in inbox • email sending messages itself • someone in my email What to do if…
What to do if…
your email account starts sending automatic replies you did not set up
Short answer
Assume your email account is compromised. From a trusted device, disable the auto-reply, remove unknown rules/forwarding, change your password, and sign out of other sessions right away.
Do not do these things
- Don’t keep emailing from the compromised account to “clarify” — it can spread scams and confirms your address is active.
- Don’t click links inside “security warning” emails; go to the provider by typing the address or using the official app.
- Don’t stop after changing the password — attackers often leave forwarding/rules/connected apps in place.
- Don’t wipe your inbox immediately — you may need messages/settings for recovery or reports.
What to do now
- Get onto a trusted device and connection. If possible, use a different device than the one you normally use, and a known network. If you suspect malware on your main device, don’t rely on it for account recovery.
- Sign in to your provider directly (no email links). Open your email provider’s official site/app and go to Security and Settings.
- Stop the active behavior first.
- Turn off “vacation responder/out of office/automatic replies”.
- Then check rules/filters and remove anything you didn’t create, especially rules that auto-reply, auto-forward, auto-delete, or hide messages.
- Remove persistence paths.
- Check for forwarding, “redirect”, “send a copy to”, “delegates/shared mailbox”, and “connected accounts”.
- Remove unknown forwarding addresses, delegates, unknown devices, and any third-party app access you don’t recognize.
- Change your password and sign out other sessions.
- Create a new, unique password.
- Use the provider feature to sign out of other devices/sessions or revoke access for devices/apps you don’t recognize.
- Turn on multi-factor authentication (MFA) and verify recovery info.
- Enable MFA (authenticator app or security key is generally stronger than SMS where available).
- Review recovery email/phone and remove anything you didn’t add.
- Secure the accounts your email can unlock.
- Prioritize banking, payment apps, shopping accounts, and any account where this email is the login.
- Change passwords and enable MFA there too, watching for password reset attempts.
- Notify people using another channel.
- Text/call key contacts: “My email may be compromised; don’t trust recent auto-replies/links.”
- If this is tied to fraud, report it using the right federal portals.
- Cyber-enabled fraud / account takeover: file a complaint with the FBI’s IC3.
- Scams (including tech-support or impersonation scams): report at ReportFraud.ftc.gov.
- Identity theft recovery/reporting: use IdentityTheft.gov if your personal info/accounts are being used in your name.
- If you can’t regain control quickly, start provider recovery and containment.
- Use the provider’s official account recovery flow.
- Consider creating a new email address for critical accounts and updating the most sensitive services first.
What can wait
- You don’t need to identify the exact entry point right now.
- You don’t need to notify everyone at once — focus on close contacts and anyone likely to act on a scam link.
- You don’t need to make device-replacement decisions immediately (secure the account first).
Important reassurance
Automatic replies you didn’t set up are a classic sign that someone changed settings or added rules to your mailbox. Removing rules/forwarding, signing out other sessions, and turning on MFA usually stops it quickly.
Scope note
These are first steps to stop damage and regain control. For work/school email, your IT/admin team may need to handle server-side rules, enterprise MFA, and logs.
Important note
This guide is general information for urgent first steps, not legal or professional advice. If you can’t recover access or you suspect broader compromise, use official provider recovery and consider qualified technical help.
Additional Resources
- https://support.google.com/accounts/answer/6294825?hl=en
- https://support.microsoft.com/en-us/account-billing/what-happens-if-there-s-an-unusual-sign-in-to-your-account-eba43e04-d348-b914-1e95-fb5052d3d8f0
- https://www.ic3.gov/CrimeInfo/AccountTakeover
- https://reportfraud.ftc.gov/
- https://www.identitytheft.gov/
- https://consumer.ftc.gov/articles/how-spot-avoid-and-report-tech-support-scams