- How to protect yourself when using email
- How to reduce spam and malicious email
- Suspicious email in your inbox
- Protect your email accounts with multi-factor authentication
- How to check your email account security - Outlook, Outlook.com, Microsoft 365, Live, Hotmail, and MSN
- How to check your email account security - Gmail
There are potential risks involved in doing things online, but being aware of the threats and making smart choices can help you reduce the risk.
Email continues to be a popular medium for cybercriminals targeting people with scams, phishing and malicious software (malware).
You need to know how to detect potentially suspicious messages and the steps you can take to protect yourself.
There are potential risks involved in doing things online, but being aware of the threats and making smart choices can help you reduce the risk.
Cybercriminals use email to carry out a range of threats. To some degree these threats all work the same way and rely on exploiting the same human weaknesses.
A number of different threats use email for their success, including malware, phishing and different types of scams. These threats work as follows:
-
- You receive a message that contains an appeal or threat, and the message tries to convince you to do something.
-
- You assess the characteristics of the message, decide the appeal is legitimate and take the requested action.
- The action, which might be clicking a malicious link, opening a malicious file or sending sensitive information like credit card details, results in a negative consequence for you as the receiver of the message and some kind of illegitimate gain for the sender of the message.
Social engineering makes it harder to spot malicious emails
Cybercriminals use a technique called ‘social engineering’ as a way of enticing and manipulating people. They use tricks to lower your natural defences against deception, for example by pretending to be someone you trust, or by making a highly attractive offer.
Cybercriminals are putting more time, effort and money towards researching targets to learn names, titles, responsibilities, and any personal information they can find. Afterwards, they usually call or send an email with a made up but believable story designed to convince the person to give them certain information.
Social media accounts provide rich information such as events, conferences and travel destinations, which can be used to make an approach seem real and accurate. So consider what personal information you share online and learn how to use social media safely.
Note: Social networking sites typically allow you to choose who has access to see your personal details. Consider hiding your email account or changing the settings so that only people that you trust are able to see your details.
There are potential risks involved in doing things online, but being aware of the threats and making smart choices can help you reduce the risk.
Electronic junk mail is commonly known as spam. These are electronic messages you may not have asked for, sent to your email account, mobile phone number, or instant messaging account.
The content of spam messages varies. Some messages promote legitimate products or services, while others will attempt to trick you into following a link to a scam website where you will be asked to enter your bank account or credit card details.
The best way to protect yourself from malicious email is to stop it from reaching you. That way, there’s no chance it can influence you into doing something you might regret.
-
Don’t share your email address online unless you need to, and consider setting up a separate email address just to use for online forms or shopping.
-
As much as possible, have separate email accounts for personal and business use.
-
Use a spam filter to catch these messages before they get to your inbox. Most modern email systems have reasonably effective spam filters to prevent spam appearing in your inbox. If you’re not sure, ask your internet service provider.
-
Delete spam messages without opening them.
Other steps you can take to limit spam
-
Before using your email address online, read the website privacy policy – it will tell you how they will use the personal information you provide.
-
When you sign up for an online account or service, be aware of default options to receive additional emails about other products and services.
There are potential risks involved in doing things online, but being aware of the threats and making smart choices can help you reduce the risk.
Cybercriminals can be clever and some messages might still make it through to your inbox. Here’s how to protect yourself from these malicious messages.
To protect yourself from these malicious messages:
-
Don’t open messages if you don’t know the sender, or if you’re not expecting them.
-
Be suspicious of messages that aren’t addressed directly to you, or don’t use your correct name.
-
Don’t reply to or forward chain letters you receive by email.
-
Think carefully before clicking on links or opening attachments.
-
If a message seems suspicious, contact the person or business separately to check if they have sent the message. Use contact details you find through a legitimate source and not those contained in the suspicious message.
-
Before you click a link, hover over that link to see the actual web address it will take you to (usually shown at the bottom of the browser window). If you do not recognise or trust the address, try searching for relevant key terms in a web browser. This way you can find the article, video, or webpage without directly clicking on the suspicious link.
-
Ensure you have up-to-date anti-virus software installed on any device used to access email.
There are potential risks involved in doing things online, but being aware of the threats and making smart choices can help you reduce the risk.
Many web email service providers like Google, Microsoft and Yahoo provide multi-factor authentication (also known as two-factor authentication) for extra security of account data.
How does it work? Typically it is a two-step process where a user must provide more than one type of proof that they are authorised before they can access an account. For example, you might need to provide a password as well as a second form of identification, like a code sent to a mobile phone that is registered with your account.
Mult-factor authentication makes it more difficult for someone else to sign into your email account. Even if someone finds your password, they would be stopped from getting into your account unless they have the second form of identity. This security feature is also available for other systems, for example, when banking online or accessing government services online such as myGov.
Where possible, we recommend you turn on multi-factor authentication for your accounts.
There are potential risks involved in doing things online, but being aware of the threats and making smart choices can help you reduce the risk.
This step-by-step guide will explain how to check the security of your email account for Outlook.com, Microsoft 365, Live, Hotmail, and MSN on your desktop.
Checking your email account security #
Email is a common target for cybercriminal activity. If someone gains unauthorised access to your email account, they can access your private communications. A cybercriminal could steal your sensitive information, or even commit fraud and send emails pretending to be you.
After any email security incident you should review the security on your account, even if you are not sure that you have been hacked.
Reviewing your account security will help you to identify intruders, regain control of your account, and help prevent cyber attacks in the future.
Step 1: Change your password
If you are concerned that your email account has been hacked, it is important to login to your account as soon as possible. Once logged in, you will be able to disrupt the hacker’s access and regain control of your account.
If you have forgotten your email password, please skip to Step 1A to recover your account.
Changing your password is important when investigating the security of your email account. If a hacker knows your password, changing your password will slow them down and make it harder for them to get access to your account.
1. Visit https://account.microsoft.com and enter your email address and click Next.
2. Enter your password.
3. Once logged in, click on Profile icon (top right) and then click on My Microsoft Account or My Account.
4. On the top menu bar, click on Security.
5. Under Security Basics, on the Password Security tile, click on Change my password.
6. Enter your current password, your new password, confirm and click Save. By changing your password, all other sessions will be prompted for the new password. However, this does take a few minutes.
When choosing a new password, consider creating a passphrase. A passphrase uses four or more random words as your password, which is hard for cybercriminals to hack but easy for you to remember. Find more information on creating strong passphrases.
After you have reset your password, skip to Step 2: Update your account recovery details.
Step 1A: Recover your account
Recovery of your account is only required if you do not remember your email password. Note that this recovery process will require you to confirm your identity by providing either your phone number or recovery email address.
1. Visit https://account.microsoft.com and enter your email address and click Next.
2. Click Forgot password.
3. If you have access to an external Email or Mobile phone to receive the recovery code, click on the appropriate method and proceed to Step 4 of 1A.
If you don’t have access to any of these click on I don’t have any of these and proceed to Step 5 of 1A.
4. If you have a recovery code, enter it and click Use recovery code. Proceed to Step 2: Update your account recovery details (page 10).
5. If you do not have any recovery accounts of a recovery code, click on No which will begin the application process to recover your email address.
You may be required to provide an alternative email address to which a recovery code/email will be sent to and to complete an audio or visual CAPTCHA.
Provide as much information as possible as this will help you recover your account.
It may take several days or weeks to receive an outcome as your request is reviewed.
Step 2: Update your account recovery details
In some cases, a cybercriminal might change the recovery details of hacked accounts. They can use this as a back door to regain access to the hacked account even after you have changed your password. Be sure to check your account recovery details are linked to either a recovery email address orrecovery mobile phone.
1. Click on your Profile in the top right corner and click on My Microsoft Account or My Account.
2. Click on Security in the Top menu bar. You may have to enter your password again to verify you can make changes to sensitive info.
3. Under Security Basics, on the Advanced security options or Security contact info tile, click Get started or Update my info.
4. Review the recovery details and click Remove for any security contact info you want to remove.
Note – if only one recovery mechanism is listed, and it is the one you want to delete, you will need to add a valid recovery mechanism first.
To do this click Add Security info. For Outlook this can either can be a mobile number or an alternative email address.
Step 3: Sign out of all other sessions
Cybercriminals may be logged in to your email account. By signing out of all sessions, you will remove the cybercriminal’s access to your emails.
1. Click on your Profile icon in the top right corner and click on My Microsoft Account or My Account.
2. Click on Security in the top menu bar. You may have to enter your password again to verify you can make changes to sensitive info.
3. Under Security Basics, on the Advanced security options or Security contact info tile, click Get started or Update my info.
4. Scroll down to Sign me out and click on the Sign me out button. You will be prompted again to confirm whether
or not you want to sign out. Click Sign me out.
Note that all account sessions on all browsers and devices will be signed out within 24 hours. Once completely signed out of all sessions and devices, sign back in again using your device to continue securing your Microsoft account.
Step 4: Enable multi-factor authentication
Turning on multi-factor authentication (MFA) is the most important defence against hackers gaining access to your Microsoft account.
MFA makes it harder for criminals to gain initial access to your device, account and information by making them jump through more security hoops and additional authentication layers, requiring extra time, effort and resources.
For a more detailed set of instructions, see the ACSC’s Step-by-Step guide Turning on Two-Factor Authentication – Microsoft Accounts.
Step 5: Check account mail settings
Hackers will sometimes set up forwarding rules to send themselves a copy of emails coming in or leaving your account. You should check your account to see if anyone has set up forwarding rules and delete any you don’t recognise.
1. Click on the Settings (cog icon) in the top right corner.
2. Scroll down and click on View all Outlook settings.
3. In the Mail side bar menu, click on Rules in the sub-menu and view all the rules. To remove any rules, click the delete icon (trash icon) and click OK.
4. Check to see if any of your emails are being accessed by any suspicious external email clients or applications via POP or IMAP1. These are two methods used to access your email externally.
Click on Sync Email in the sub-menu and scroll down to view POP and IMAP. These should either be disabled or refer to a Server relating to Outlook or Microsoft Office.
5. From here you can check to see if any of your emails are being forwarded to another account.
Click on Forwarding in the sub-menu, check the Enable Forwarding is unticked, or if forwarding is turned on, it is to an account you expected.
If forwarding is turned on to an account you don’t recognise then turn it off by unticking the box.
6. To use “Manage how you sign in to Microsoft” to see if there are any unusual account aliases still associated to your account, first go to My Microsoft Account or My Account.
7. Then click on Your info.
8. Then go to Manage how you sign in to Microsoft.
9. Here, you will be able to manually remove any suspicious email addresses or phone numbers by clicking the Remove button.
Step 6: Check third party application access
Have you ever linked your Microsoft or Xbox Live account to a third party service?
Many websites and applications opt for this method to create a new user account without having to directly request this information from the user. However, the connection this creates between your Microsoft account and the website/application is a common way for hackers to gain access to your email account, without needing
your login credentials.
Check if there are any apps or services that have access to your account and remove any that you don’t recognise.
1. Click on your Profile icon (top right), click on My Microsoft Account or My Account.
2. Click on Privacy in the top menu bar.
3. Scroll down to Other Privacy options and under Apps and Services, click on Apps and Services that can access your data.
4. This lists all the apps that can access data related to your account.
Click Edit, then click Remove these permissions for any that you didn’t configure yourself.
Step 7: Check login activity
Your login activity is a history of when and where someone has logged into your email account. Regularly review your login activity to check if your email account has been accessed at unusual times or from unusual locations.
1. Click on your Profile icon (top right), click on My Microsoft Account or My Account.
2. Click on Security in the top menu bar. You may have to enter your password again to verify you can make changes to sensitive info.
3. Under Security Basics, on the Sign-in activity tile, Click View my activity.
4. Here you can check the time and location of the logins into your account to verify that your email account has not been accessed at unusual times or from unusual locations.
If you see any suspicious activity since your last password change, click on the drop down arrow for that session and click Secure your account to change your password. Consider using a unique strong passphrase as your password. Here are some things to consider to help you identify suspicious activity:
• The Device/platform – is this a device you are familiar with or own?
• The Browser/app – is this something you use?
• The Date/Time – does the login date and time seem out of the ordinary?
• The IP address – was the login from a country you are familiar with?
Note that if you do go ahead and Secure your Account, you will need to verify your identity and change your password.
This will also automatically log you out of all other existing sessions.
Step 8: Check your email folders, devices and other accounts
Check email folders
Once you have made sure only authorised persons have access to your email account, you may want to consider checking your email folders, specifically your sent and deleted items. This will help you assess what actions a cybercriminal has taken if they accessed your account.
1. To check sent items, click on Sent items in the side menu.
Search for emails that you did not send and take note of the recipient, whether attachments were included, what the email was requesting, and when it was sent.
Compare any unusual activity times with the time the email was sent. Check login activity (page 20) every time you become aware that a criminal contacted someone from your email account.
2. To check deleted items, click on Deleted items in the side menu. You can recover deleted items by clicking on Recover items deleted from this folder.
Undertake the same steps taken for your other folders, especially Drafts, Spam and other folders.
Run a malware scan
Malware is any software that is specifically designed to disrupt, damage or gain unauthorised access to a device. Use a malware scanning tool to find and remove any malware detected.
1. Do this using the malware scanning tool on your device. You may already have a malware scanning tool that came with your device. If you don’t know the name of your malware scanning tool, you can search for it.
2. Type the name of the malware scanning tool. Or press the Windows key on your keyboard for Windows 10 and start typing. Suggested search terms: Antivirus, Microsoft Defender.
3. Once you have found your malware scanning tool, follow the instructions to run a scan and delete any malware identified.
While in progress, take notes or photos of any suspicious software applications, files, pop-ups or other key details you encounter.
For more information for Windows 10 users, read the ACSC’s Step-by-Step guide Performing a malware scan using Microsoft Defender Antivirus for Windows 10
Check other linked accounts
If someone has hacked into your email account, they may have tried to reset passwords for other online accounts that are linked to that email address. These could be banking and finance, social media, or other accounts.
If you used the same password or passphrase for your email account and any other accounts, these may be no longer secure. Enable multi-factor authentication where possible on these accounts, and consider changing the passwords to unique strong passphrases.
There are potential risks involved in doing things online, but being aware of the threats and making smart choices can help you reduce the risk.
This step-by-step guide will explain how to check the security of your email account for Gmail on your desktop.
Checking your email account security #
Email is a common target for cybercriminal activity. If someone gains unauthorised access to your email account, they can access your private communications. A cybercriminal could steal your sensitive information, or even commit fraud and send emails pretending to be you.
After any email security incident you should review the security on your account, even if you are not sure that you have been hacked.
Reviewing your account security will help you to identify intruders, regain control of your account, and help prevent cyber attacks in the future.
Step 1: Change your password
If you are concerned that your email account has been hacked, it is important to login to your account as soon as possible. Once logged in, you will be able to disrupt the hacker’s access and regain control of your account.
If you have forgotten your email password, please skip to Step 1A to recover your account.
Changing your password is important when investigating the security of your email account. If a hacker knows your password, changing your password will slow them down and make it harder for them to get access to your account.
1. Once logged in, click on Profile icon (top right) and then click on Manage your Google Account.
2. From the list on the left side of the screen, click Security.
3. Scroll down and click Password. Enter your current password and select a new password.
When choosing a new password, consider creating a passphrase. A passphrase uses four or more random words as your password, which is hard for cybercriminals to hack but easy for you to remember. Find more information on creating strong passphrases.
After you have reset your password, skip to Step 2.
Step 1A: Recover your account
Recovery of your account is only required if you do not remember your email password. Note that this recovery process will require you to confirm your identity by providing either your phone number or recovery email address.
1. Visit www.gmail.com and enter your email address.
2. Click Forgot password?
3. One option to recover your password is to enter the last password you remember using. If you cannot remember a password, click Try another way. Carefully follow the account recovery process and instructions.
Please note that this process will be different from person to person depending on what security measures you have set up. Some account recovery methods may include:
• Providing a code from your MFA app
• Providing a verification code sent to your alternative recovery email address
• Providing a code sent to your mobile phone via SMS
• Inputting the last password you remember
Step 2: Update your account recovery details
In some cases, a cybercriminal might change the recovery details of hacked accounts. They can use this as a back door to regain access to the hacked account even after you have changed your password. Be sure to check your account recovery details are linked to either a recovery email address or recovery mobile phone.
1. From the home screen, click on the Profile icon (top right) and then click on Manage your Google Account.
2. From the list on the left side, click Personal info.
3. Scroll down to the section labelled Contact info.
You can now change your Recovery Email and your Recovery Mobile.
It is important these are changed to new or known email accounts or devices you can access. To change your email, click on Email.
4. Click Recovery email. You will be prompted to re-enter your password for Google to ensure it is you making the changes. You will only be able to choose your Recovery Email once your password has been re-entered.
5. Google will use your recovery email to reach you if unusual activity is detected or you are accidentally locked out. Click the pencil icon. A prompt will open where you can add or update your recovery email.
6. Go back to the Email recovery page (Step 4), and click Advanced.
7. From the options that have appeared, click Alternative emails. It is important you check no unknown or suspicious accounts are listed, as a criminal may use these to access your account. Remove all alternative email accounts to ensure that an alternative email account has not been hacked and is being used to access your email account.
8. To change your phone number, click Phone. You will be prompted to re-enter your password for Google to ensure it is you making the following changes. You will only be able to choose your Recovery Phone number once your password has been re-entered.
9. Google will use your recovery mobile number to reach you if unusual activity is detected or you are accidentally locked out. Click the pencil icon. A prompt will open where you can add or update your recovery mobile number.
Step 3: Sign out of all other sessions
Cybercriminals may be logged in to your email account. By signing out of all sessions, you will remove the cybercriminal from having access to your emails.
To sign out of all sessions, you will need to change your password. If you have already changed your password in Step 1, then you have already completed this step.
If you have not yet changed your password, instructions on how to do this can be found in Step 1.
Step 4: Enable Multi-factor Authentication
Turning on multi-factor authentication (MFA) is the most important defence against hackers gaining access to your Google account.
MFA makes it harder for criminals to gain initial access to your device, account and information by making them jump through more security hoops and additional authentication layers, requiring extra time, effort and resources.
For a more detailed set of instructions, see the ACSC’s Step-by-Step guide Turning on Two-Factor Authentication – Gmail
Step 5: Check account mail settings
Hackers will sometimes set up forwarding rules to send themselves a copy of emails coming in or leaving your account. You should check your account to see if anyone has set up forwarding rules and delete any you don’t recognise.
1. From your inbox, click the Settings icon (cog) and click See all settings.
2. Click the Forwarding and POP/IMAP tab to the right at the top of the page.
POP and IMAP are protocols that allow emails to be accessed through other applications like Apple Mail and Mozilla Thunderbird. Cybercriminals sometimes use these as another method of accessing your account, as it can allow them to bypass some security controls like MFA.
3. Make sure there are no forwarding rules, that POP is disabled, and that IMAP is disabled. This will prevent the criminal who may be forwarding incoming emails, or accessing your account from an app that is logged in. Click Save changes when finished.
4. From the tabs at the top, click the Filters and blocked addresses tab.
5. Check that no unfamiliar filters being applied to incoming emails, or that there are any unusual email accounts that are being blocked. Delete any of these unfamiliar filters or email accounts.
A criminal may have set these up to hide emails from you, especially if customers or contacts have become suspicious and tried to reach out to you.
Step 6: Check third party application access
Have you ever logged into another application or website using your email account, sometimes without needing to put in your password? Many websites and applications opt for this method to create a new user account without having to directly request this information from the user. However, the connection this creates between your email account and the website/application is a common way for hackers to gain access to your email account, without needing your login credentials.
Check if there are any apps or services that have access to your account and remove any that you don’t recognise.
1. Once logged in, click on Profile icon (top right) and then click on Manage your Google Account.
2. From the list on the left side of the screen, click Security.
3. Scroll down to Third-party apps with account access and click Manage third-party access.
4. Scroll down and click Google Account sign-in prompts to ensure the toggle is turned off. Then click the apps listed.
5. It is important to reduce the access by third-party apps to your email account. If a criminal has hacked a third-party app, they may be able to use it to enter your email account.
Click REMOVE ACCESS for each app listed that you didn’t configure yourself. If you’re not sure what apps that might be, remove those you’re not sure about as
they can be reconfigured later if required.
Step 7: Check login activity
Your login activity is a history of when and where someone has logged into your email account. As a good practice, regularly review your login activity to check if your email account has been accessed at unusual times or from unusual locations. By doing so, you will be able to pick up on anything suspicious.
1. From your inbox, go to the bottom right hand corner and click Details.
Here you can check the time and location of the logins into your account to verify that your email account has not been accessed at unusual times or from unusual locations.
If you see any suspicious activity since the last time you changed your password, change your password to a unique strong passphrase immediately.
Here are some things to consider to help you identify suspicious activity:
• The Access Type – is this a device/ browser/application you are familiar with, use or own?
• The Location (IP address) – was the login from a country you are familiar with?
• The Date/Time – does the login date and time seem out of the ordinary?
Step 8: Check your email folders, devices and other accounts
Check email folders
Once you have made sure only authorised persons have access to your email account, you may want to consider checking your email folders, specifically your sent and deleted items. This will help you assess what actions a cybercriminal has taken if they accessed your account.
1. From your inbox, click Sent (triangle icon) to view your sent emails.
Search for emails that you did not send and take note of the recipient, whether attachments were included, what the email was requesting, and when it was sent.
Compare any unusual activity times with the time the email was sent. Verify login records every time you become aware that a criminal contacted someone from your email account.
2. Under the Sent folder on the right, click More to make more folders visible.
3. Undertake the same steps taken for your other folders, especially Drafts, Spam and Bin folders. Verify login records every time you become aware that a criminal
contacted someone from your email account.
Run a malware scan
Malware is any software that is specifically designed to disrupt, damage or gain unauthorised access to a device. Use a malware scanning tool to find and remove any malware detected.
1. Do this using the malware scanning tool on your device. You may already have a malware scanning tool that came with your device. If you don’t know the name of your malware scanning tool, you can search for it.
2. Type the name of the malware scanning tool. Or press the Windows key on your keyboard for Windows 10 and start typing. Suggested search terms: Antivirus, Microsoft Defender.
3. Once you have found your malware scanning tool, follow the instructions to run a scan and delete any malware identified.
While in progress, take notes or photos of any suspicious software applications, files, pop-ups or other key details you encounter.
For more information for Windows 10 users, read the ACSC’s Step-by-Step guide Performing a malware scan using Microsoft Defender Antivirus for Windows 10
Check other linked accounts
If someone has hacked into your email account, they may have tried to reset passwords for other online accounts that are linked to that email address. These could be banking and finance, social media, or other accounts.
If you used the same password or passphrase for your email account and any other accounts, these may be no longer secure. Enable multi-factor authentication where possible on these accounts, and consider changing the passwords to unique strong passphrases.
