What to do if you think your email account has been hacked

Picture this: A friend asks you why you sent her a poorly spelled email inviting her to buy medicines in Canada, or why you sent an attachment that her antivirus detected as a threat. You know you didn't send any such thing. How did it happen? Did a hacker invade your email account? What should you do to protect yourself?

Given this sort of scenario, the good news is that these symptoms don't necessarily mean your account was hacked. However, the bad news is that recovering from an actual hack can be tough.

Somebody else got hacked

Strangely enough, the actual source of the problem might have almost nothing to do with you. A successful virus attack on one of your correspondents could cause precisely the symptoms described. Here's how it happens.

An email virus arrives in someone's inbox as an executable attachment or a link. If it manages to launch without getting caught by the antivirus it quickly goes to work replicating itself. First, it harvests all the addresses from the Contacts list. It may also flip through email messages or documents to find more addresses. When it has collected everything it can, it silently mails itself to each harvested address. The virus doesn't use an email client for this, so the messages definitely won't appear in the "Sent Items" folder.

Of course, a goodly portion of these collected addresses will be inactive or otherwise invalid. The activity of the virus could generate a flood of "undeliverable mail" warnings back to the victim's email account, a flood that would reveal the presence of the malware.

To avoid giving away its presence, the virus takes advantage of the email protocol's weak security. It's quite a simple matter to tweak the header of an email message so it shows any arbitrary address as the sender. The virus code simply picks one of the harvested addresses and "spoofs" it as the sender address.

So, your cousin Mel has an email virus. You're in Mel's address book. The virus chose your address as its false sender. People receiving the message think it came from you, but in truth there's no direct connection. Unfortunately, that also means there's no easy way to identify the true source of the problem, but at least in this scenario you're perfectly safe.

You got hacked

Of course, it's possible that somebody really did hack your email account, or simply guessed your password. The moment you suspect such a problem, change your email password to a new strong password that the bad guys won't guess (see our advice on strong passwords).

Web-based email accounts often include a setting for a backup contact account, which is a way the provider can contact you if you're having trouble with the webmail account itself. Double-check this to make sure it hasn't been changed to some other account; if it has, you know for sure that you've been hacked.

Review any other personal profile settings, things like address and telephone information. This would also be a good time to change your security questions and answers. Most web-based email systems won't show the answers that you saved previously, so a hacker couldn't view them. Still, it's better to take no chances.

Who got hacked?

Unless you have hard evidence like changes to your account profile, determining whether your account was actually hacked can be tough. The spurious messages purportedly sent from your account do contain clues, for those who can decipher them. If possible, have an expert look over the header data from such a message. An ordinary forwarded message is no good, so the friend who received the offending message will have to forward it as an attachment.

Try to pick a friend who uses a standard email client like Outlook, as opposed to checking mail on the Internet. To send the offending message as an attachment, your friend just needs to drag it onto the message being composed.

If you can't get expert help or if you're still not sure afterwards, the safest bet is to act as if the account really was hacked.

Recovering from a hack

If you verify that a hacker truly has compromised your email account, you've got clean-up work to do. Did you use the same password on any other secure websites? If so, you'll need to find and change all of those. And of course you should notify your correspondents that the account was hacked and warn them to ignore strange messages they may have received.

Double-check your profile information to be sure that the answers to security questions are never revealed, not even when you're logged in with the proper password. In the rare case that the answers weren't hidden, you'll need to visit every other secure site you frequent and change any where you've used the same security question and answer.

Here's the worst-case scenario – there's a possibility the hacker could change the password and security questions, effectively locking you out of the account. In that case your only recourse is to throw yourself on the mercy of the provider. Contact support, report your problem, and be prepared to prove in painful detail that you are the true and valid account owner. And start thinking about what account name you'll use in case you have to abandon the hacked account and start over.

Staying safe

As noted, some events completely unrelated to you can cause symptoms that look like your account was hacked. To head off the possibility of a real attack, review your email accounts and change the password for any that might be guessed easily. Make sure all the passwords are different from each other, too. A password manager can help here, and we’ve rounded up the best password managers for your delectation.

If the email provider lets you make up your own security questions and answers, do so rather than accepting the standard questions. And never, ever give your password to anyone. A little preparation can make your email account uninviting enough that hackers will move on to the next guy, the one whose password is "password" or “123456.”