If your email is being spoofed, your email address is being forged as the sender of messages you didn’t send. This happens when attackers impersonate your email address to send phishing emails, malware, or spam to your contacts or to random recipients. The good news is that true email spoofing—where someone uses your exact address as the sender—doesn’t necessarily mean your account is compromised. Your password may still be secure. However, your contacts receive emails that appear to come from you, damaging your reputation and potentially compromising them.
The first step is to determine whether your account has actually been hacked or if someone is simply spoofing your address using forged headers. Check your sent folder and login history. If you see emails you didn’t send, your account is compromised. If your sent folder is empty and your login locations look normal, someone is likely spoofing your address externally without accessing your account. Both scenarios require action, but they call for different responses.
Table of Contents
- How to Verify If Your Email Address Is Being Spoofed or Hacked
- Immediate Actions When Your Account Is Compromised
- Checking for Data Breaches and Unauthorized Access
- What to Do If Your Email Is Only Being Spoofed Without Account Access
- Advanced Security Checks and Account Cleanup
- Protecting Your Contacts from Further Spoofing
- Monitoring Your Reputation After Spoofing
How to Verify If Your Email Address Is Being Spoofed or Hacked
Login to your email account immediately and check your sent folder for messages you didn’t create. Look at the timestamps and recipients—if there are emails you don’t recognize, your account credentials have been stolen. Next, review your recent login activity. Gmail shows “Last account activity” at the bottom of the inbox with IP addresses and device information. Outlook displays “Recent activity” under Account settings.
If you see logins from unfamiliar locations or devices, especially in different countries with impossible travel times between logins, your account is compromised. If your sent folder is clean and your login history shows only your own devices and locations, the spoofing is likely external. Attackers can forge email headers to make messages appear to come from any address without accessing the actual account. Your contacts are receiving these spoofed messages because the attacker is either targeting them directly with forged headers or using a compromised list that includes your email address. This distinction matters because it changes your response strategy.
Immediate Actions When Your Account Is Compromised
If your login history shows unauthorized access, change your password immediately. Use a strong, unique password at least 16 characters long, combining uppercase letters, lowercase letters, numbers, and symbols. Avoid reusing passwords across different accounts, especially if you’ve used the same password elsewhere. The attacker likely got your email password through a data breach, phishing, malware, or a weak original password. Changing it isn’t enough—check if that same password was used on other services like banking, social media, or work accounts, and change those too.
Enable two-factor authentication (2FA) on your email account as your second layer of defense. 2FA requires a second verification method—typically a code from an authenticator app, a text message, or a security key—when you or anyone else tries to login. Authenticator apps like Google Authenticator or Authy are more secure than SMS because text messages can be intercepted through SIM swapping attacks. If you enable 2FA, add backup recovery codes to a secure location in case you lose access to your authenticator device. Without these codes, you could be locked out of your own account if your phone is stolen or damaged.
Checking for Data Breaches and Unauthorized Access
Visit haveibeenpwned.com and enter your email address to see if it appears in known data breaches. This free service checks against hundreds of millions of compromised records from past security incidents. If your email appears in a breach, that’s likely how attackers obtained your password. Knowing which service was breached helps you prioritize which accounts need password changes—if your email was in a retail company’s breach, change your password there first, then update your email password, then check any services where you used that same password.
Check your email recovery options and connected accounts. Attackers often change your recovery email address or phone number to lock you out and prevent recovery. Go to your account settings and verify that your recovery email is still your phone number or an alternate email you control. Review connected apps and devices that have permission to access your email. In Gmail, this appears under “Apps with account access” or “Manage your Google Account.” In Outlook, check “Your devices” and “App passwords.” Remove any apps or devices you don’t recognize or no longer use.
What to Do If Your Email Is Only Being Spoofed Without Account Access
If your account is secure but your email address is still being used to send spoofed emails, you have fewer direct options because the problem isn’t on your server—it’s in the attacker’s forged headers. However, you should still report the spoofing to your email provider. Gmail has a “Report phishing” option; Outlook has “Report Junk” and “Report Phishing.” These reports train the provider’s spam filters to recognize and block similar messages in the future. Contact the recipients of the spoofed emails, especially your closest contacts and colleagues, to warn them that emails appearing to come from you may be malicious.
A simple message—”My email address is being spoofed. Do not open attachments or click links in unsolicited emails from me without calling to confirm”—prevents them from becoming victims. The attacker is relying on trust; breaking that chain stops the attack’s effectiveness. If the spoofing involves phishing or malware distribution, you may want to report it to the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov, though this is more important if you know the spoofing is part of a larger targeted campaign.
Advanced Security Checks and Account Cleanup
Review your email forwarding rules because compromised accounts often have forwarding set up to copy all incoming mail to the attacker’s address. In Gmail, check Settings > Forwarding and POP/IMAP > Forwarding address. In Outlook, go to Mail > Settings > Forwarding. Delete any forwarding addresses you didn’t create. Similarly, check if anyone has granted themselves delegated access to your account, which allows them to read and send emails as you without needing your password.
In Gmail, this is under “Grant access to your account” in Settings. Attackers use delegation to maintain long-term access even after you change your password. Create a detailed list of any suspicious activity: dates when you first noticed spoofed emails, how many recipients were affected, what the spoofed emails contained (phishing links, malware attachments, etc.), and any financial impact if money was lost. Keep screenshots or forwarded examples of the spoofed emails showing full headers. This documentation helps your email provider investigate faster and becomes important if you need to file a report with law enforcement. Your email provider can sometimes trace where the spoofed emails originated and may be able to take action against the attacker’s infrastructure.
Protecting Your Contacts from Further Spoofing
Send a bulk message to your contacts explaining the situation: “My email address has been compromised and is being used to send phishing emails. If you receive unsolicited emails from me with suspicious links or attachment requests, especially asking for passwords or financial information, it’s not from me. Please do not click the links or download attachments. If you’re concerned an email is genuine, call me to verify.” This warning is more effective coming from you directly than from anyone else.
Ask your contacts to report any spoofed emails they receive to their email provider’s phishing or spam report feature. Each report helps the email infrastructure recognize and filter these messages. The more reports an email gets, the more likely it is to be blocked before reaching other inboxes. Email providers like Google and Microsoft use these community reports to improve spam detection across their entire networks.
Monitoring Your Reputation After Spoofing
Set up Google Alerts for your email address by searching for your full email in quotes (“[email protected]”) on Google Alerts. This notifies you whenever your email appears in new public content, which can help you catch ongoing spoofing campaigns. You may see your address in dumps, pastes, or spam lists, giving you early warning that new spoofing waves are starting.
Check your email’s public reputation on tools like Google Postmaster Tools or MXToolbox’s reputation monitors. These services track how email providers around the world perceive your domain. Spoofing can lower your domain’s reputation because spam and phishing sent from your address contribute to negative signals. If your reputation has been damaged, it may take weeks or months to recover even after the spoofing stops, because email systems maintain historical records of spam sent from your address.
- —