Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com
Actions On Cyber logo
Contact
← Back to Actions On

Actions On: Email Account Hacked

Use this drill when an email account shows suspicious activity, unknown messages, unexpected forwarding rules or unusual logins.

Purpose: This drill is designed for small organisations without a dedicated cyber team.

Immediate actions

  1. Change the account password from a trusted device.
  2. Sign out active sessions.
  3. Enable or reset MFA.
  4. Check forwarding rules, delegates and auto-replies.
  5. Review sent and deleted items.
  6. Warn contacts if fraudulent emails may have been sent.
  7. Record the timeline.

Do not

  • Do not delete evidence before it is captured.
  • Do not ignore it because nothing appears to have happened.
  • Do not reuse passwords.
  • Do not delay reporting because it feels embarrassing.

Escalate if

  • Money, customer data, staff data or business-critical services may be affected.
  • You suspect criminal fraud or unauthorised access.
  • You are unsure what has been exposed.

After-action review

  • Was reporting simple?
  • Was MFA enabled?
  • Were roles clear?
  • What control would reduce the chance of this happening again?
Note: Practical guidance only. Seek specialist support where personal data, money loss or criminal activity may be involved.