Having your email compromised ("hacked") can be very frustrating and figuring out what to do afterwards can be overwhelming and challenging to say the least.  Let me share some of the tips I've learned working with others who have went through an email compromise and provide some tips to help prevent it from happening.

If you have had your email "hacked", you probably already know the tell tell signs, but in case you haven't...here are some warning signs that your email may have been compromised:

• People tell you they have received weird emails from you and you know you haven't sent them.  Especially emails with strange attachments, weird links, or asking for money.
  • Someone could have spoofed your email to where it looks like it came from you, but didn't actually come from your email account.  In this instance, your email wasn't "hacked", but it is hard to tell.  You could search your sent items folder to see if any of the emails your friends or acquaintances received are in there, but the hacker could have cleaned out your sent and deleted folders.  I will create another blog post later to explain how you analyze email headers, but you should probably assume your email was compromised and follow the steps outlined below.
• Several people claim they have sent you emails, but you never received them.
• You receive an alert from your email provider that a weird login has been detected, especially if now you are unable to log in to your email account.
• You aren't able to log in to your account, but you know the password.
• You aren't able to perform a password reset.
• You receive a text message with a verification/login code, but you weren't expecting one (if you have 2 step or 2 factor authentication/login enabled).
• Several of your clients/customers report fraud attempts (if you own a business and use that email for communicating with clients/customers).

If your email has been compromised, here are a few steps to take:

• Change your password immediately and make it a long password (suggest at least 12-14 characters, but the longer the better).  Remember not to use identifying information such as birth dates, addresses, phone numbers or names of children, relatives or pets.
• This is important, if you have used the same password anywhere else, change it there as well, especially if your login/username is the same as your email address.  For example, if the login to your bank is your email address and the same password you previously used on your email account when it was compromised, it is safe to assume the hacker now knows the login to your bank as well (especially since credential stuffing is on the rise).  This is why having different passwords for each account is important.  A password manager can definitely help you manage multiple, long, complex passwords to better protect your accounts against a compromise.
• Check for any forwarding rules a hacker could have created.  This varies by email provider, but search for forward email with the name of your provider.  I've seen hackers put forwarding rules in place to continue receiving emails from a compromised account once the owner regains control and the password is changed, so definitely make sure to check for any forwards that were created.
• Check your account recovery information to make sure it is still correct and hasn't been changed by the hacker.
• Change account security questions and/or answers to something different.  If you want to be thorough, I would check my important accounts (bank, medical, retirement, email, etc.) to see if I used any of the same security questions on those counts as well and if I did, I would change the answers there as well.

Steps to prevent your email from being hacked:

• Create a long password, at least 12-14 characters (the longer the better), and make sure you don't use the same password you have used on other accounts.
• Enable 2-step or 2 factor authentication.  You should also enable alerts, if possible, when strange logins are detected.  Not knowing which email accounts you have, here are example instructions for Google/Gmail.  Most email providers have similar features though.
  • 2 step login/verification:  https://www.google.com/landing/2step/ 
  • Monitor account activity:  https://support.google.com/mail/answer/45938?hl=en
  • Receive alerts when suspicious activity is detected:  https://myaccount.google.com/intro/security
• Limit the damage caused in the event your email is hacked by limiting the amount of personal information stored in your email.  Deleting unneeded emails can help limit the amount of information a hacker can learn if your email is hacked.  I would especially look at removing emails with passwords, password hints, password reset information, etc.  I would also recommend removing any emails regarding account alerts from your bank, information from your doctor, etc.  Definitely look for any emails that may contain your social security number and/or birth date information.

If you are sure your email was hacked and you know you had sensitive information in your email account, either in the in-box, in folders (sent, deleted, etc.), I would consider performing the steps below:

• If you saved any emails regarding your passwords, such as a file with passwords, password hints, etc. I would change the passwords on those accounts.  If you used the same password on any other websites, especially if you had emails regarding those accounts, change those passwords as well (credential stuffing is on the rise).
• If there were any password reset emails in your account and you aren't sure if you have changed the password since receiving the email, I would suggest changing the password just to be sure.
• If your SSN, date of birth, bank account information, etc. were in any of your emails, you may want to consider these steps to protect yourself.  I haven’t performed these myself, so not sure what all is involved or any inconvenience they may cause, so I can’t recommend one way or the other.  Just wanted to pass on the options available:
  • You can place a “credit freeze” on your credit reports to make it harder for someone to open an account in your name.  Information for that can be found here:  https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
  • You can place a “fraud alert” on your account instead of a freeze.  Information for that can be found here:  https://www.consumer.ftc.gov/articles/0275-place-fraud-alert
  • I would also recommend monitoring your credit report.  Not sure what is a good timeline to do this, but in the worst case I would say get a free credit report 2-3 months after the device was stolen.  You are entitled to one free per year and can learn more about it here:  https://www.consumer.ftc.gov/articles/0155-free-credit-reports
• If any of your emails contained credit card or bank information, I would reach out to your bank(s) and explain the situation along with monitoring your accounts to see if you notice any fraudulent charges.
• If your email contained account numbers for any of your other accounts, such as retirement accounts, you may want to reach out to those institutions to see what they recommend as well.