Beat the Scam Scam checks, alerts, and consumer protection guides
Home / Guides / Email Scams / Email Account Takeover Scam UK: How to Spot and Stop It
Email Scams

Email Account Takeover Scam UK: How to Spot and Stop It

Your email is the master key to your digital life — if a scammer gets in, they can reset passwords, steal money, and impersonate you.

· · 7 min read

email account takeover UKemail hacked scamGmail account takeoverOutlook account compromisedemail security UK
Key rule: verify through an official route you opened yourself, not the link, number, app, or payment details supplied by the suspicious message.
On this page
  1. What is this scam?
  2. Warning signs to look for
  3. How this scam works step by step
  4. How to verify if it is genuine
  5. What to do if you have already interacted
  6. Reporting this scam in the UK

What is this scam?

Email account takeover is when a scammer gains unauthorised access to your email account. Once inside, they can read your messages, reset passwords on other accounts (banking, shopping, social media), steal personal information, send emails pretending to be you, and access sensitive documents or photos. The scammer may have obtained your password through a data breach, phishing email, malware, or by guessing a weak password. Unlike some scams where you lose money directly, email takeover is dangerous because it gives criminals the keys to your entire digital life.

They can use your account to commit fraud, blackmail you, or steal from your contacts. Many people don't realise their email has been compromised until they notice unusual activity — emails they didn't send, password reset requests they didn't make, or contacts reporting they've received suspicious messages from them.

Warning signs to look for

  • You receive password reset emails or two-factor authentication codes you didn't request — this means someone is trying to access your account.
  • Emails appear in your Sent folder that you didn't write — the scammer is using your account to contact others.
  • Your email provider shows a login from an unfamiliar location or device, especially a country you've never visited.
  • Contacts tell you they've received strange emails from you asking for money, gift cards, or personal information.
  • You can no longer log in to your email account — the scammer has changed the password or recovery details.
  • Your linked accounts (bank, PayPal, Amazon) show activity you didn't authorise, or you receive notifications about password changes you didn't make.
  • You see unfamiliar recovery email addresses or phone numbers added to your account settings.
  • Your email provider sends a security alert about suspicious activity or a new device signing in.

How this scam works step by step

The scammer first obtains your email address and password, usually through a data breach from a website you've used, a phishing email that tricked you into entering your login details, or malware on your computer. They then log into your email account from their own device or location. Once inside, they immediately change the recovery email address and phone number so you can't regain access. They scan your inbox for sensitive information — bank statements, invoices, personal documents — and look for password reset links from other services.

They then use your email to reset passwords on your bank account, PayPal, Amazon, or other financial platforms, locking you out. They may send emails to your contacts pretending to be you, asking for money, gift cards, or personal information. Some scammers sell access to your account to other criminals, or use it to send spam and phishing emails to your contacts. You typically discover the takeover when you try to log in and can't, or when your bank alerts you to suspicious activity.

How to verify if it is genuine

If you suspect your email account has been compromised, act immediately — don't wait for confirmation. First, try to log in to your email account from a device you trust. If you can't log in, use the 'Forgot password' option, but be aware the scammer may have changed your recovery email or phone number. If you can access your account, check the 'Security' or 'Account activity' section (usually in Settings) to see recent logins and devices. Look for unfamiliar locations or devices. Check your recovery email address and phone number — if they've been changed, the account is compromised.

Review connected apps and services to see if anything unauthorised has been added. If you cannot regain access, contact your email provider's support team directly using the phone number or contact form on their official website — never use a number from a search result or email. For Gmail, visit myaccount.google.com; for Outlook, visit account.microsoft.com. If your bank account has been accessed, call your bank immediately using the number on your card or their official website.

What to do if you have already interacted

If you believe your email account has been taken over, act within the first few hours — the longer you wait, the more damage the scammer can do. Step one: if you can still access your account, change your password immediately to something long and unique (at least 16 characters, mixing letters, numbers, and symbols). Step two: check and update your recovery email address and phone number to ones only you control. Step three: review all connected apps and services in your account settings and remove anything you don't recognise.

Step four: check your forwarding rules — scammers often set up email forwarding to hide their activity. Step five: enable two-factor authentication if you haven't already. Step six: if you cannot access your account, contact your email provider's support team and explain the situation — they can help you regain access. Step seven: immediately change passwords on all other accounts (bank, PayPal, Amazon, social media) using a different device. Step eight: contact your bank and any financial services linked to the email to alert them of potential fraud. Step nine: monitor your credit report for signs of identity theft.

Reporting this scam in the UK

Report email account takeover to Action Fraud, the UK's national fraud reporting service, by calling 0300 123 2040 or visiting actionfraud.police.uk. They will record the incident and may investigate if there's evidence of wider fraud. Report the phishing or malware email to the NCSC Suspicious Email Reporting Service by forwarding it to report@phishing.gov.uk — this helps protect other UK users. If you received a suspicious text message that led to the takeover, forward it to 7726 (spoof). Contact your email provider's abuse team directly to report the compromise and request account recovery assistance.

If money was stolen from your bank account, report it to your bank immediately and ask about a chargeback or refund. Report the incident to Citizens Advice consumer helpline on 0808 223 1133 for guidance on next steps. If your personal data has been compromised, you can also report it to the Information Commissioner's Office (ICO) at ico.org.uk, though this is typically for data breaches by organisations rather than individual account takeovers.

Frequently asked questions

Is my email provider responsible if my account is hacked?

Your email provider has a responsibility to maintain reasonable security, but you are also responsible for protecting your own password and account. If your account was compromised because you used a weak password or fell for a phishing email, the provider is unlikely to refund any losses. However, if there was a data breach on their servers, they may be liable. Contact your provider's support team to discuss your specific situation and ask what security measures failed.

What should I do if the scammer has already sent money from my bank account?

Contact your bank immediately using the number on your card or their official website — do not use a number from an email or search result. Report the fraudulent transactions and ask about a refund or chargeback. Banks can often recover money if you report it quickly, especially if the transfer hasn't cleared yet. Also report the fraud to Action Fraud on 0300 123 2040 and ask your bank to flag your account for monitoring. Keep records of all communications with your bank.

How do I know if my email password was in a data breach?

You can check if your email address or password has appeared in a known data breach by visiting haveibeenpwned.com, a free service run by security researcher Troy Hunt. Enter your email address and it will tell you which breaches your account may have been involved in. If your email appears in a breach, change your password immediately, even if you haven't noticed any suspicious activity. Use a unique, strong password that you don't use on any other website.

How do I report an email account takeover to the police?

Report it to Action Fraud, the national fraud reporting service, by calling 0300 123 2040 or visiting actionfraud.police.uk. You can also report it to your local police force's non-emergency number (101 in most areas), though Action Fraud is the primary route for fraud reports. If the takeover involved phishing or malware, also report the suspicious email to the NCSC at report@phishing.gov.uk. Keep records of all evidence, including screenshots of suspicious activity, emails, and communications with your email provider.

Think you’ve spotted a scam? Use the AI scam checker for an instant analysis, or report it to Action Fraud.

Reviewed against current UK reporting guidance from Action Fraud, the National Cyber Security Centre, and Citizens Advice. Last reviewed 2026-06-19. Read about how Beat the Scam writes guides.