Email hacked or spoofed? How to tell the difference in two minutes

One-paragraph answer. A scary email that appears to come from you is almost always spoofing — a forged From line written by a stranger who has no access to your account — not a hack, which means someone is actually inside your mailbox. The two feel identical in your inbox but are completely different problems, and you can tell them apart in about two minutes by checking the handful of things that genuinely require access. Here is that test, what each verdict means, and exactly what to do for each.

The two-minute test: hacked or spoofed?

Forgery leaves no trace inside your account, because the forger was never inside it. A real compromise does. Check these five things — if they’re all clean, you were spoofed, not hacked:

• Recent sign-in activity. Every major provider logs where and when your account was accessed. Open it and look for devices, locations, or times you don’t recognize. Nothing unfamiliar means no one is in your account.
• Your Sent folder. An intruder sending mail “as you” would leave copies in Sent. A self-spoof appears only in Inbox or Spam — never in Sent — because it was injected from outside.
• Forwarding rules and filters. Attackers quietly add a rule that forwards your mail elsewhere or auto-deletes security alerts. An unexpected forwarding address or filter is a strong sign of real access.
• Recovery email and phone. Check that the recovery address and number on the account are still yours. Changing these is how an intruder locks you out.
• Unrequested password-reset or sign-in codes. A trickle of reset emails you didn’t ask for means someone is trying to get in — not that they’re already in. Tighten now before it becomes a real compromise.

If it was spoofing (the common case)

The email protocol never required the From address to be truthful, so anyone can type your address into it — the same way anyone can write your name as the return address on a paper envelope. The message fails the checks that prove identity (SPF and DKIM for your domain), but most inboxes fail open and deliver it anyway with at most a warning. That’s why it reached you. There is no account to secure and nothing was breached; the right response is to stop these messages at the door rather than chase them one at a time — covered in how to stop spam from your own address.

If it was a real compromise (rarer, urgent)

If any check above looked wrong — an unfamiliar login, sent mail you didn’t write, a forwarding rule you didn’t set — treat it as a genuine compromise and move quickly, in this order:

1. Change your password to something unique you’ve never used elsewhere.
2. Turn on two-factor authentication so a password alone can’t open the account again.
3. Sign out all other sessions (most providers have a “sign out everywhere” control) to evict anyone currently connected.
4. Remove unfamiliar forwarding rules, filters, and recovery addresses the attacker may have added to keep a foothold.
5. Check accounts that use this mailbox for password resets — banking, social, shopping — since whoever holds your email can reset those too.

The gray area: the email quotes a real password

One wrinkle unsettles people: the message includes a password you’ve actually used. That almost never came from your mailbox — it came from a third-party data breach, and the sender is bluffing that it implies more access than it does. Change that password everywhere you reused it and enable two-factor authentication. It is still not evidence that your email account itself was opened; check the five signs above to confirm.

Stopping the spoofed ones for good

Ruling out a hack doesn’t stop the next forgery from landing — that’s a property of the inbox, not your account. Folio runs SPF, DKIM, and DMARC on every incoming letter and files mail that fails authentication straight to Spam on arrival, before it’s ever scored on content, so a message forged to look like it’s from your own address never reaches your inbox — and it explains, in plain English, exactly which check failed. If it’s your own domain being forged in other people’s inboxes, start with a free domain health check to see where your SPF, DKIM, and DMARC stand.

Frequently asked

How can I tell if my email was hacked or just spoofed?

Check the things that require real access: recent sign-in activity, your Sent folder, forwarding rules and filters, and your recovery address. If all are clean, the scary From line is forgery (spoofing), not a breach. If you see unfamiliar logins, sent mail you didn’t write, or rules you didn’t create, treat it as a real compromise and secure the account immediately.

Does getting an email from my own address mean I was hacked?

Almost never. The From line is editable text anyone can forge without touching your account. A self-spoof shows up only in Inbox or Spam, never in Sent. Confirm by checking sign-in activity for unfamiliar logins; if it’s clean, you were spoofed, not hacked.

What should I do first if I think my email really was hacked?

Change your password to a unique one, enable two-factor authentication, and sign out all other sessions to evict anyone connected. Then remove any forwarding rules, filters, or recovery addresses you didn’t set, and reset passwords on accounts that use this mailbox for recovery, since whoever holds your email can reset those too.

The email knows my password — am I hacked?

Probably not through your mailbox. Reused passwords leak in third-party data breaches, and scammers quote them to seem credible. Change that password everywhere you used it and turn on two-factor authentication, but don’t assume your email account was opened — verify with the sign-in and Sent-folder checks.

How do I stop spoofed emails once I’ve confirmed I wasn’t hacked?

Spoofing is stopped by the inbox, not by securing your account. Use a mail provider that enforces SPF, DKIM, and DMARC and files mail that fails authentication to Spam on arrival, so forgeries never reach you. A per-message filter for your own address helps in the meantime but only catches that one disguise.