If your email account has been hacked, move carefully. Email is often the recovery key for everything else: banking alerts, myGov notices, Microsoft 365 files, Google Drive, invoices, social media, shopping accounts, password resets, and client messages.
For Sydney homes and small businesses, the goal is not only to get back into Outlook, Gmail, or Microsoft 365. You also need to remove the attacker's ongoing access, check whether mail was forwarded or deleted, protect other accounts, and understand whether anyone else was affected.
| Situation | First priority | Extra check |
|---|---|---|
| You can still sign in | Use a clean device, change the password, and review security settings | Remove unknown devices, apps, forwarding, filters, and MFA methods |
| You cannot sign in | Start the provider's official recovery flow | Use a separate working email and avoid recovery links from random search ads |
| Friends received strange emails from you | Secure the account before replying from it | Warn contacts not to open links or pay invoices |
| Business mailbox sent invoice changes | Treat it as possible business email compromise | Check sign-ins, mailbox rules, payment changes, and affected customers |
| Password was reused elsewhere | Change those accounts from a clean device | Start with banking, email, cloud storage, social, and password managers |
| A scammer remotely accessed the computer | Disconnect and assess the device before trusting it | Remove remote-access tools and scan for malware |
Step 1: Work from a clean device
If you suspect the computer or phone is infected, do not use it to reset your email password. Use a trusted device that is fully updated, or ask a trusted support person to help. Microsoft advises checking for malware before changing the password on a compromised Microsoft account, because a compromised device can capture the new password as soon as you type it.
This matters after fake support calls, browser pop-ups, downloaded "security" tools, or unexpected remote-access sessions. Disconnect the affected device from the internet if someone may still have access.
Step 2: Recover access through the official provider
Use the official account recovery page for your provider:
- Microsoft account or Outlook.com: recover the account through Microsoft's recovery process.
- Google or Gmail: use Google's account recovery and compromised account steps.
- Microsoft 365 business email: use an administrator account to reset the user's password, revoke sessions where available, and check sign-in and mailbox activity.
Avoid sponsored search results, social media "recovery specialists", and anyone asking for payment to unlock an account outside the provider's process. Account recovery can be frustrating, but shortcuts are a common second scam.
Step 3: Change the password and remove reused passwords
Create a new password that is unique to that account. If the old password was reused anywhere else, assume those accounts are at risk too. Change the most important accounts first:
- Banking and payment accounts
- myGov, Medicare, tax, and identity services
- Apple ID, Microsoft account, Google Account, and cloud storage
- Social media and messaging accounts
- Password manager master account
- Business systems such as accounting, CRM, website admin, and domain registrar
Do this from a clean device. If you use a password manager, update the saved password and check whether the old password appears on other logins.
Step 4: Fix multi-factor authentication properly
Turn on multi-factor authentication where available, but also check what is already enrolled. The Australian Cyber Security Centre warns that a cybercriminal may add their own MFA method to keep access. Remove phone numbers, authenticator apps, passkeys, backup codes, or recovery email addresses you do not recognise.
For a small business, make sure every administrator account has strong MFA and recovery ownership is documented. Do not rely on one person's mobile phone as the only way to recover the whole Microsoft 365 tenant.
Step 5: Check forwarding rules, filters, and mailbox settings
Attackers often hide in mailbox settings. They may forward every email, delete security alerts, move bank messages to an archive, or create rules that hide replies from customers.
Check:
- Automatic forwarding to external addresses
- Inbox rules that move, delete, hide, or redirect mail
- Blocked senders and allowed senders
- Recovery email and phone details
- Connected apps and OAuth permissions
- Recent devices and active sessions
- Delegates, shared mailbox access, and aliases
- Deleted items, archive, junk, and unusual folders
Microsoft's business guidance specifically calls out mailbox compromise and business email compromise patterns. Its Defender documentation also treats suspicious email forwarding as a security signal because forwarding can be manual or automatic and may happen through inbox rules, mail flow rules, or other settings.
Step 6: Check what the attacker may have seen or sent
Look at recent sent items, deleted items, search history, mailbox rules, and sign-in activity. Search for terms such as "invoice", "payment", "bank", "password", "code", "ATO", "myGov", "Dropbox", "OneDrive", "SharePoint", and customer names.
For home users, the practical question is whether the attacker could reset other accounts or view sensitive documents. For business users, the question is wider: could they have read quotes, changed payment instructions, sent malware links, accessed shared files, or impersonated staff?
If customers, suppliers, staff, or family members received suspicious messages, warn them using a separate trusted channel where possible. Keep the warning simple: your email was compromised, ignore recent unexpected links or payment changes, and verify any money request by phone using a known number.
Step 7: Review devices and remote access tools
Email compromise and device compromise often overlap. Check phones, tablets, Outlook profiles, browser sessions, and old computers that still sync mail.
If a scammer connected remotely, look for tools such as AnyDesk, TeamViewer, Quick Assist, Chrome Remote Desktop, or other remote-control apps. Some are legitimate when you initiate support, but unknown installations after a scam call should be treated carefully.
Update the operating system and browser, remove unwanted extensions, and run trusted security scans. Do not install random cleaner tools from ads.
Step 8: Small business incident checklist
For a Sydney small business, one compromised mailbox can become an invoice fraud, privacy, payroll, or client-trust issue. Work through this checklist before declaring the incident closed:
- Disable risky sessions and reset the affected user's password.
- Confirm MFA methods, recovery details, and admin roles.
- Check sign-in logs for unusual locations, times, and devices.
- Review forwarding, inbox rules, delegates, shared mailboxes, and transport rules.
- Search sent mail for invoice changes, payment requests, file links, and malware links.
- Check whether OneDrive, SharePoint, Teams, or Google Drive files were accessed or shared.
- Confirm no accounting, payroll, domain, website, or password manager accounts were changed.
- Notify affected people if suspicious emails or payment instructions were sent.
- Preserve screenshots, message headers, sign-in logs, and times before deleting evidence.
- Tighten security defaults, MFA, admin access, and mailbox auditing after recovery.
If money was transferred, contact the bank immediately. If business email compromise or identity misuse may be involved, follow ACSC reporting and recovery guidance.
Sydney examples
A home user in Parramatta notices Gmail recovery alerts and friends receiving strange gift-card messages. The right sequence is to recover Gmail through Google, remove unknown devices and recovery details, turn on 2-Step Verification, change reused passwords, and warn contacts.
A trades business in Western Sydney finds that a supplier received a fake bank-detail change from the owner's Microsoft 365 mailbox. That needs more than a password reset. Check mailbox rules, sign-ins, sent items, accounting access, MFA methods, and whether any customer or supplier payments need urgent verification.
A retired customer on the North Shore gets an Outlook pop-up saying to call support, then lets a caller connect remotely. In that case, secure the computer and email together: disconnect the remote session, scan the device, change passwords from another device, and check whether banking or myGov details were exposed.
Prevention after recovery
Once the account is safe, make the setup easier to defend:
- Use a password manager and unique passwords.
- Turn on MFA for email, banking, cloud storage, social media, and admin accounts.
- Keep recovery phone and email details current.
- Remove old devices and apps that no longer need access.
- Use separate administrator accounts for Microsoft 365 business tenants.
- Train staff to verify payment changes by phone using a known number.
- Keep backups for important files outside the mailbox.
- Review mailbox rules after staff departures or suspected phishing.
Good security is not about never clicking the wrong thing. It is about making one mistake less damaging.
When to book email security help
Book support if you cannot recover the account, if MFA or recovery details were changed, if money or client data may be involved, if a scammer accessed your computer, or if a business mailbox sent payment or invoice messages.
Everyday Computing helps Sydney homes with personal email recovery, phishing checks, password resets, device cleanup, and MFA setup. For small businesses, we can help review Microsoft 365 sign-ins, mailbox rules, admin access, security defaults, and practical recovery steps before the incident becomes a repeat problem.
