Someone hacked my email and used it to scam my contacts — what should I do?
Regain control of your account immediately, notify your contacts, and report to the email provider. Change all passwords that used the same credentials.
Last reviewed: 10 June 2026
Explanation
When your email is compromised and used to send scam messages to your contacts, you face two simultaneous problems: a security compromise of your own account and potential damage to your relationships and reputation. Both require prompt action.
First, recover your account. Use the email provider's account recovery process (usually a password reset via phone or backup email). Once back in, change the password to a strong, unique one, enable two-factor authentication, review connected apps and revoke any suspicious authorizations, and check mail forwarding rules — scammers often set up forwarding to themselves before being locked out.
Next, notify your contacts that your account was hacked and that any unusual messages (especially those asking for money, gift cards, or containing suspicious links) were not from you. Do this as quickly as possible to prevent people from acting on the scam messages. Use a different email address or phone for this notification since your account may still be compromised.
Change passwords for any other accounts that share the same email and password combination. Check your financial accounts for any changes made using 'forgot password' flows linked to the compromised email. Report the incident to the email provider using their security reporting process. File with the FTC if any financial harm resulted.
Common red flags
- You are locked out of your own email account unexpectedly
- Contacts report receiving money requests or suspicious links from your address
- Your sent folder contains messages you did not write
- Mail forwarding rules in your account that you did not create
- Password reset attempts you did not initiate
- Login notifications from unfamiliar locations or devices
What to do now
- Use the email provider's account recovery to regain access
- Change your password and enable two-factor authentication
- Review and remove any suspicious forwarding rules or connected apps
- Notify your contacts immediately about the compromise
- Change passwords on other accounts using the same credentials
- Check financial accounts for unauthorized changes
- Report to the FTC at ReportFraud.ftc.gov
Frequently asked questions
Am I liable if someone was scammed using my email account?
Generally no — you are the victim of the account compromise. Your contacts would pursue the actual scammer, not you. However, act quickly and notify contacts to minimize any harm, which also demonstrates good faith.
How can I prevent my email from being hacked again?
Use a unique, strong password for your email account, enable two-factor authentication (preferably app-based, not SMS), avoid clicking links in suspicious emails, and regularly review your account's connected apps and login activity.