How to Recover a Hacked Business Email Account

Few things are as alarming as discovering that your business email account has been hacked — strange sent messages, password reset emails you did not request, or clients reporting odd emails from you. Email is the keys to the kingdom: it can reset passwords for nearly every other account you own. If your business email is compromised, here is how to take it back, fast and completely.

Act fast — email is the master key

Move quickly, because a hacked email account is a launchpad. With access to your inbox, a criminal can reset passwords on your banking, payroll, and cloud accounts, read sensitive correspondence, and impersonate you to your customers and vendors. The faster you lock them out, the less damage they can do. Treat a hacked business email as an emergency, not a nuisance.

Step 1: Change your password from a clean device

Immediately change your email password — using a device you are confident is not infected. Choose a strong, unique password you have never used elsewhere. If you cannot log in because the attacker already changed the password, use the provider’s account-recovery process right away. The sooner you reclaim the password, the sooner the intruder is out.

Step 2: Enable multi-factor authentication

Turn on multi-factor authentication immediately if it is not already on. This is the single most important step to keep the attacker from simply logging back in with a password they may still know. If MFA was already enabled, check the registered methods and remove any phone number, authenticator, or app password you do not recognize — attackers often add their own.

Step 3: Hunt for hidden forwarding rules and filters

This is the step most people miss. A common attacker trick is to set up a hidden mail-forwarding rule or filter so that copies of your incoming email — including password resets — are secretly sent to them or auto-deleted. Even after you change your password, these rules keep leaking your mail. Go into your email settings and review every forwarding rule, filter, and auto-reply. Delete anything you did not create. Also check that your recovery email and phone number are still yours.

Step 4: Review activity and revoke access

Check your account’s recent sign-in activity for unfamiliar locations or devices, and sign out of all sessions so any active intruder is kicked out. Review connected or third-party apps that have access to your account and revoke any you do not recognize. Look through your sent folder and deleted items to understand what the attacker may have sent or read while they had access.

Step 5: Assess the damage and reset linked accounts

Because your email can reset other passwords, assume any account tied to it may be at risk. Change passwords on your most important linked accounts — banking, payroll, cloud storage, and any service that uses this email for recovery. If the hacked account is part of Microsoft 365, follow our specific guide to recovering a hacked Microsoft 365 account, which includes admin-level steps.

Step 6: Warn your contacts and watch for fraud

Attackers use a hijacked business email to scam the people who trust you — sending fake invoices or urgent payment requests to your clients and vendors. Warn your contacts not to act on unusual emails from you, and alert your finance team and bank to watch for fraudulent transfers. This kind of attack is closely related to business email compromise (BEC), one of the costliest scams small businesses face.

Step 7: Report it and document everything

If money was lost or sensitive data exposed, report the incident — to the FBI’s Internet Crime Complaint Center (IC3) and your bank — and document the timeline for your insurer. Our guide on how to report a cyberattack walks through where to file. Prompt reporting of wire fraud can sometimes help recover funds.

Figure out how they got in

Before you move on, take a moment to understand how the compromise happened, because that is what tells you how to prevent the next one. The most common causes are a password reused from another site that was breached, a phishing page that captured the login, or the absence of MFA that would have stopped a stolen password cold. Check whether the password had been exposed in a known breach, ask the account owner whether they recently entered credentials on any unexpected page, and confirm whether MFA was actually enabled and enforced. If the same password was used elsewhere, change it everywhere. Closing the specific gap that let the attacker in — rather than just resetting the password and hoping — is the difference between a one-time scare and a recurring problem.

Step 8: Prevent the next one

Once you have control again, close the door for good: confirm MFA is on for every account, move to a password manager with unique passwords, train your team on phishing, and tighten your email security settings. If you are not confident the attacker is fully gone — or you simply want expert eyes on it — Veteran Forge Strategies can help you secure your accounts and lock down your email for the future.

Key takeaways

  • Act fast — email can reset the passwords to everything else you own.
  • Change the password from a clean device and enable MFA immediately.
  • Hunt for hidden forwarding rules and filters — the step most people miss.
  • Revoke sessions and connected apps, then reset linked banking and cloud accounts.
  • Warn contacts, watch for fraud, report it, and document the timeline.

Frequently asked questions

How do I know if my business email was hacked? Warning signs include password resets you did not request, unfamiliar sent messages, contacts receiving strange emails from you, and unknown sign-in locations.

What is the first thing to do with a hacked email? Change the password from a clean device and enable MFA, then check for hidden forwarding rules that could keep leaking your mail.

Can a hacked email lead to more fraud? Yes — attackers use it to reset other accounts and to impersonate you to clients and vendors, so warn your contacts and bank quickly.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *