Most people imagine an email hack as something obvious. You try to log in and can’t. Your contacts get a weird message. Something is visibly wrong.

That’s not how it usually works.

The more common scenario is quieter: someone has access to your inbox, has had it for a while, and has been careful not to do anything you’d notice. They’re not spamming your contacts. They’re reading. Waiting. Watching for the right moment — a payment request, a contract, a supplier invoice — and then acting.

By the time you realise what happened, the damage is done.

Why email is the target

Your inbox is not just messages. It’s the master key.

Most online accounts — banking, payroll software, cloud services, supplier portals — use email for password resets. An attacker with access to your inbox can reset the password on almost any account you own. They don’t need to know your banking password. They just need your email.

That’s what makes email compromise so much more serious than it sounds. It’s not one account at risk. It’s all of them.

How attackers get in

Credential stuffing from data breaches. Billions of email addresses and passwords have been exposed in third-party data breaches over the years — LinkedIn, Adobe, Canva, dozens of others. If you’ve ever reused a password across different services (and most people have, at least once), attackers test those leaked credentials automatically against email providers. It costs them almost nothing. If one works, they’re in.

Phishing pages. Fake login pages that look exactly like Microsoft 365 or Google Workspace are extremely common. You click a link, enter your credentials into what looks like your normal login screen, and your details go straight to the attacker. No malware, no technical exploit — just a convincing replica and a moment of inattention.

Token theft. This one bypasses MFA entirely. Some attacks don’t steal your password at all — they steal the authentication token that proves you’ve already logged in. This can happen through malicious browser extensions, compromised devices, or certain types of phishing links. The result is that even a correctly configured MFA setup won’t protect you, because the attacker is presenting a valid session token, not trying to log in fresh.

Compromised third-party apps. Many businesses connect third-party tools to their email — CRM integrations, scheduling apps, email marketing platforms. If any of those services is breached, the attacker may gain access to your email without ever touching your password.

What they do once they’re in

The first thing most attackers do is make sure you won’t notice them.

They’ll create inbox rules: incoming emails that match certain criteria get automatically marked as read and moved to a folder you rarely check. This is particularly targeted — rules might filter on words like “security alert,” “password reset,” “invoice,” or the name of your bank. Warnings about suspicious activity never reach your inbox. You see nothing.

Then they wait, or they get to work depending on what they’re after.

Business email compromise (BEC). If you’re a business owner or handle payments, this is the expensive one. The attacker monitors your email for a few weeks, learns who your suppliers are, what your payment processes look like, and the tone of your communications. Then they send an email — from your account, or from a lookalike domain — redirecting a payment. The supplier’s bank details have “changed.” The invoice needs to go to a different account. By the time anyone realises the money went to the wrong place, it’s usually gone.

Identity theft and account takeover. Your inbox is used to reset passwords on banking, investment, or government services accounts. This can take time to surface and longer to resolve.

Data collection. Not every attacker acts immediately. Some sit quietly for months, reading sensitive communications, collecting information about your business, your clients, your suppliers. The value is in the intelligence, not the immediate grab.

Lateral movement. Your email access gets used to send phishing links to your contacts. Because the email comes from a known, trusted address, the hit rate is much higher than a cold phishing attempt. Your clients and colleagues become the next targets.

Signs your inbox may already be compromised

None of these are definitive on their own, but any of them warrants investigation:

Emails in your Sent folder you don’t remember writing. Check your Sent folder periodically. Attackers sometimes send messages from your account and delete the sent copies — but not always.

Password reset notifications you didn’t trigger. If you receive a “someone requested a password reset” email for an account and you didn’t request it, someone is testing whether they have access to intercept the reset link.

Inbox rules you didn’t create. This is the most direct indicator. Go into your email settings and check your rules and filters. If there are rules forwarding email to an external address, or automatically archiving emails matching certain keywords, and you didn’t create them, treat it as a confirmed breach.

Emails you expected to receive but didn’t. If suppliers, colleagues, or clients tell you they sent you something and you never received it — especially if it’s security-related — a filtering rule may be suppressing it.

Login alerts from unfamiliar locations. Most email providers will notify you of sign-ins from new devices or locations. If you receive one of these and it wasn’t you, act immediately.

Contacts reporting odd messages from you. If someone tells you they received a strange email from your address, your account may have been used to send phishing messages.

Steps to take right now

Check whether your email has appeared in a known breach. Visit haveibeenpwned.com — enter your email address and it will tell you which data breaches it has appeared in. If it has appeared in any, and you used the same password elsewhere, assume those accounts are compromised.

Review recent sign-in activity. Both Google and Microsoft provide dashboards showing recent login locations and devices. In Google, go to your Account Security page. In Microsoft 365, check your sign-in logs through the account security dashboard. Look for anything unfamiliar — an unexpected country, an unrecognised device, an unusual time.

Check your inbox rules and forwarding settings. In Gmail: Settings > See all settings > Filters and Blocked Addresses, and check the Forwarding tab. In Outlook/Microsoft 365: Settings > Mail > Rules. Delete anything you didn’t create.

Change your password immediately. Use a long, unique password — a passphrase works well. Do not reuse it anywhere else. If you use a password manager (and you should), generate it there.

Enable multi-factor authentication. If you don’t have MFA on your email account, turn it on now. An authenticator app (Google Authenticator, Microsoft Authenticator) is more secure than SMS-based MFA, which can be intercepted in some attacks. MFA won’t protect you against token theft, but it blocks the majority of credential-based attacks.

Revoke third-party app access. Review which apps have access to your email and remove anything you don’t recognise or no longer use. In Google: Account > Security > Third-party apps with account access. In Microsoft 365: myapps.microsoft.com.

Tell your IT provider or managed security service. If you have one, they should know about a suspected breach. They may have additional visibility into whether the account was used to access connected systems.

The uncomfortable reality

Email compromise is one of the most common entry points for serious business incidents — financial fraud, data breaches, ransomware — precisely because it’s quiet, it’s effective, and it’s often running for a long time before anyone notices.

The good news is that the detection steps above are free and take less than 30 minutes. If you haven’t checked your inbox rules and recent sign-in activity recently, do it today. Not because you’re definitely compromised, but because if you are, you’d rather know now.

If you find something concerning, or you want help locking down your email and connected systems properly, get in touch. We’ll help you work out what happened and what needs to happen next.