What are some immediate response guidelines in case of email compromises?

Email compromises are scary.  Here are 10 steps to take immediately after you suspect or recognize that your email account, or one within your organization, is compromised:  

Immediate Steps  (Do these before reading Part II): 

1. Change The Account Password Immediately

• Check if you’re still logged into your email account online and change your password immediately.    Check the links at the bottom of this article for how-to documents for the most common email providers. 
• If you have administrative access to Google or MS365, force log off all sessions for that user’s account and quickly change the PW a 2nd time.   If bad actors have signed into the account, this forces a logoff and they’ll be locked out with the old password.

2. Enable Two-Factor Authentication (2FA)

• If you haven’t yet enabled 2FA, enable it to prevent the person in your account from remaining signed in.  

• If 2FA is enabled and you still have access to your account, go to the account security settings, remove all 2FA devices, and re-register. You may need to use account recovery contact information to re-register and reset 2FA on the account. 

Part II:  Clean Up & Secure Information 

3. Check For Email Forwarding 

• Bad-Actors set up email forwarding rules to route all messages sent to and from your account through their channels to intercept information.  Check for email forwarding rules at the account level of MS365 and Google accounts through web and administration portals, not in the local desktop versions of Outlook or the mail app.  

4.  Check Sent Items 

• Review the items you sent for suspicious emails that appear to be spam or emails you know you have not sent yourself.  If spam emails have gone out, note when the emails were sent and the content or subject line.  This information will help you notify others and quickly identify further spam sent from the account. 

5. Notify Contacts

• If SPAM emails were sent, notify the recipients of the specific SPAM email subject line if possible.  Suggest they use caution when clicking links or reaching out to you personally to verify the validity of an email if they suspect it’s fraudulent.   Always alert internal staff or any vendors.  If necessary, alert any clients that may have been affected as well.  Many companies are hesitant to notify others, but you’re putting their information at risk by not doing so.  In cases of compromise, honesty is the best policy. Your vendors and clients will appreciate the transparency as it helps mitigate further risk to clients and partners.

6. Scan for Malware or Viruses 

• If you don’t have an Antivirus, purchasing and installing one that features PC scans for malware or viruses would be a good idea.  Scan any device you use – PCs, tablets, and smartphones – to confirm they’re free of malware that may have contributed to the compromise or might have been installed during the compromise.   If you don’t have AV, you can run a quick scan in Microsoft Defender as a base security measure.  

7. Review Linked Accounts

• Any account linked to the compromised email also requires review and action.  Bank accounts, software and cloud applications, or any account that uses the compromised email as part of the login or recovery methods is at risk, especially if the password to the compromised account is the same or similar to the breached account.  
• Quickly review any account linked to the compromised account and change all passwords.  Remember to enable 2FA on those accounts if needed and review the contact or recovery information to ensure it hasn’t been changed.  

8. Monitor for Suspicious Activity

• Lastly, closely monitor the compromised account and any linked financial accounts for the next 15-30 days.  Routinely check your sent items to ensure no spam or suspicious emails are being sent out, utilize user login audits in Google and Microsoft Entra to track potential attempts that hackers may make to re-access the account, and closely track financial account activity so fraudulent charges can be quickly reported.   You can pre-emptively alert banks to be on alert for suspicious activity and freeze your business credit as a safeguard.