TwentyFour IT

How to Check If Your Email Account Has Been Breached

It’s tough to find someone who hasn’t had their email account hacked at some point. Many people believe they aren’t a target for being hacked as they don’t hold valuable information. This is incorrect! Everyone and anyone can hold information which can expose threats to an organisation. “Cybercrime is the greatest threat to every company in the world.” (Ginni Rometty, Chairman, President and CEO, IBM)

One of the most common ways cybercrimes happens is through your email account. In this article we will give you a breakdown of how an email account is breached. We will also discuss what measures you can take to ensure you are following the best practices to protect your accounts.


Let’s start with how an attacker could have gained access to your account. We are seeing more frequent incidents where users are been targeted by email phishing. This is essentially someone sending you an email to try gain information out of you. They can simply use your email layout/signature to target your clients or even members of your staff.

Another way is with emails containing links. This can be in the form of a PDF attachment on the email or there could be a link directly within the content. When you click on such link you will more than likely be prompted with a login page that is a replicate of the website/business they are impersonating. If you enter any information on here e.g. email address /password, the attacker will now have gained access to your information. They will now be able to login into your email account.


New techniques are constantly being developed against stopping these attacks from happening. However as fast as these are being developed and implemented attackers are quickly coming up with new ways to target people or companies. Unfortunately for the team fighting back against them, this method is very challenging. As people often receive many emails containing several links in them. It would require training our software to examine each link on an individual basis to decide whether it’s an authentic or corrupt link.

In the past attackers have gained access to mailboxes by sending out a mass spam email to all of your contacts. As more people are becoming aware of generic spam email, the attackers are developing new tactics which are more inventive and methodical. One method they are undertaking is, that once they have gained access to your account they will then spy on your account in order find out as much information as possible this will include…

• Gathering intelligence about you
• What you do
• Who you talk to
• Your position in the company
• How you word your emails.

A forward may also be put on your account. This will then forward any emails you receive to an email account in which they control. By doing this the attacker doesn’t have to stay logged into your account and the forward will remain even if you change your password.

Once they have gathered the information they require from you, they may decide that you’re not a target worthwhile. Nevertheless, they may use the information they have gathered to target someone higher up in the organisation like an accountant. Just think about what an attacker could do with access to the accountant’s mailbox. Invoices, Customers invoices or possibly bank details.

By using this information, an invoice can be created that looks identical to your organisations. The only change will be that somewhere in it will have or include something such as “we have updated our bank details”. This can then be sent to one of your clients from the email addresses they have gained access to.

As most businesses have a good relationship with their clients and have gained a shared trust from them. Clients will pay this to the details they have received as they recognise and do business with you.

Okay, How Do I Check?

If you are using Outlook, under the Home tab you should have an option to manage your inbox rules.

Where to find Manage Rules in Outlook

This will then open a box that displays all the rules you currently have on your mailbox. Most people will have rules set in place to move emails from X folder over to Y folder.

Once here you will need to look for any rules that forward or redirect emails. The only way to check this is to check each rule individually as they could have named the rule to something which you would suspect as not being legit.

When checking the rules in place, look for anything that contains the words “forward” or “redirect”. Pay very close attention these.
If you do have a rule that is forwarding/redirecting emails to an unknown email address this is a very strong indicator that someone has had access to your account at some point in time and they may still be monitoring your emails.

There is also a second type of forwarding. However, this is something which would need to be performed by your IT department. A quick test which usually takes couple of minutes to perform. Checking this is very advisable and highly recommended.

It may not be realistic to perform the above task if you have a lot of users within your organisation. You may also not feel confident with users checking this themselves. If so, you can ask your IT team to check. This will involve taking all the rules people have set up and checking for works such as ‘forward’ and ‘redirect’.

My Account Is Clean, How Do I Secure Myself?

If you are using an Office 365 licence which is Business Premium or above (this does not include Exchange Online Plan 1) then you can ask IT to setup multi factor authentication on your account.

With this method installed on your account if anyone manages to figure out the password, they would also need the code that is texted to your mobile phone to login to your account and access your data. So, unless the attacker also has your phone. You’re safe.

What Else Can be Done?

IT can also put something in place to detect auto forwarding of emails and notify and/or block if one has been detected. This would be an early warning of a potential breach.


Putting these practises in place can help protect your email account from being compromised. Cyber criminals can still find ways to access your information. However, by following these practises you are reducing the risk of exposing your business to these types of threats.

TwentyFour IT

For more information on the different security services we offer to keep your business secure click here.

Or if you would like to speak with our team, please get in touch with us here.