Email account compromise doesn’t always announce itself loudly. Skilled attackers often work quietly, maintaining access to monitor your inbox or use your account for phishing without alerting you. Knowing the warning signs — including the subtle ones — means you can catch and respond to a compromise before the damage compounds.

The Obvious Signs

1. Your Password Suddenly Stops Working

If you can’t log in with the password you’ve always used, and you haven’t changed it, someone else changed it. This is the most direct sign of a takeover — the attacker is locking you out so you can’t interfere with what they’re doing.

2. Your Recovery Options Have Changed

Check your account security settings. If your backup email address or phone number has been replaced with something unfamiliar, an attacker has set themselves up as the account recovery path. This makes it much harder to reclaim your account.

3. Friends Are Reporting Weird Emails from You

If your contacts say they’ve received spam, strange links, or requests for money that appear to come from your address, your account is being used to distribute phishing or scam campaigns. This is a common way attackers monetize compromised email accounts.

4. Your Sent Folder Contains Emails You Didn’t Write

Check your sent folder carefully. Attackers sending from your account sometimes delete sent copies, but not always. Unfamiliar sent messages confirm your account is actively being abused.

The Subtle Signs

5. Emails Are Going Missing

If you’re expecting replies that never arrive, or you notice gaps in conversation threads, an attacker may have set up email filters to delete or redirect certain messages — particularly password reset emails from banking or social media sites they’re trying to access.

6. Login Alerts from Unfamiliar Locations

Most email providers send notifications when your account is accessed from a new device or location. Don’t ignore these. A login from a city you haven’t visited, or a device type you don’t own, is a red flag even if the attacker hasn’t done anything visible yet.

7. Your Account Shows Active Sessions You Don’t Recognize

In Gmail, scroll to the bottom of your inbox and click “Details” under “Last account activity.” In Outlook, go to Security > Review recent activity. Look for active sessions on unknown devices or from suspicious IP addresses.

8. Password Reset Emails Arriving for Other Sites

If you’re getting unprompted password reset emails for Amazon, your bank, or social media accounts, someone is trying to use your email as a gateway to reset passwords on those accounts. They triggered the reset; they’re hoping to intercept the link.

9. Two-Factor Authentication Codes Arriving Unsolicited

Receiving 2FA codes you didn’t request means someone has your password and is actively trying to log in to your account right now. Change your password immediately.

10. Your Contacts Receive Phishing Emails That Reference Real Conversations

This is a sophisticated indicator: if someone contacts you saying they received an email “from you” that referenced a real email thread, an attacker has been reading your inbox and using the context to craft more convincing phishing lures.

What to Do If You Spot These Signs

Act immediately. If you can still access your account: change your password, review and correct your recovery options, enable 2FA, revoke all active sessions except your own, and check your email filters for any rules you didn’t create.

If you’re locked out: use the account recovery process, which may require your backup phone or email. Most providers have an account recovery form for cases where recovery options have been changed.

To get a clearer picture of your overall email risk profile — including what breach exposure may have led to the compromise — run the Email Exposure Report for your address once you’ve regained access.

Preventing Future Compromises

The single most effective prevention is a strong, unique password plus an authenticator-app-based 2FA. With those two in place, even if your password is breached, it’s useless without the second factor. Use a password manager to generate and store unique passwords for every site, and you’ve eliminated the credential-stuffing vector that causes most email compromises.

CISA’s guidance on account security identifies unauthorized access as one of the most common and consequential cybersecurity threats facing individuals — and early detection is the most effective defense.

Frequently Asked Questions

Can my email account be compromised without any obvious signs?

Yes, and this is intentional. Sophisticated attackers often maintain “quiet access” — reading emails and gathering intelligence without triggering visible changes. Signs like forwarding rules set up silently or OAuth app access granted in the background may only surface when you specifically look for them in your account settings.

What is the first thing I should do if I suspect my email is compromised?

Go to account security settings immediately and review active sessions. Sign out all devices you don’t recognize. Then change your password and enable two-factor authentication before doing anything else. Speed matters — the longer an attacker has access, the more damage they can do.

How do attackers use a compromised email account?

Common uses include: resetting passwords for your banking or social media accounts (since “forgot password” emails go to your inbox), impersonating you to scam your contacts, setting up email forwarding to monitor your communications long-term, and harvesting personal information for identity theft.

Should I delete a compromised email account and start fresh?

Only as a last resort. Most compromised accounts can be fully secured and recovered. Deleting creates its own problems — you lose years of emails and contacts, and if you had accounts registered under that email, resetting access becomes complicated. Secure the account first; delete only if recovery is impossible.

Can two-factor authentication prevent my email from being compromised?

Two-factor authentication (2FA) stops the vast majority of unauthorized login attempts, even when your password has been stolen. However, it doesn’t prevent phishing attacks that trick you into entering your 2FA code in real time, or SIM-swapping attacks that redirect your SMS codes. An authenticator app (like Google Authenticator or Authy) is significantly more secure than SMS-based 2FA.