Quick Tech Tip: Check Email Forwarding Rules Before They Leak Your Messages

Practical tech tip for May 31, 2026: take ten minutes to check your email forwarding rules, inbox rules, and filters. If a scammer ever gets into an email account, hidden forwarding or auto-delete rules can let them keep watching messages even after the password is changed.

This is one of those quiet security checks that helps both regular people and small businesses. Email is usually where password resets, invoices, client questions, bank alerts, shipping updates, vendor messages, payroll notices, and website notifications land. If an attacker can secretly forward copies, hide security alerts, or move messages out of sight, they can stretch a short account compromise into a longer problem.

Why This Tip Matters

Most people think about email security as a password problem. Passwords matter, but mailbox settings matter too. Gmail can automatically forward messages and can use filters to archive, delete, label, or forward matching email. Outlook can use rules to move, forward, redirect, delete, or otherwise process messages. Those features are useful when you set them up intentionally. They are risky when you do not recognize them.

For a home user, a bad rule might hide bank alerts or password reset notices. For a small business, it might forward invoices, customer requests, Microsoft 365 alerts, web hosting notices, or vendor account emails to an outside address. The practical goal is simple: make sure every rule in the mailbox has a legitimate business reason and an owner who understands why it exists.

Start With The Accounts That Matter Most

You do not have to inspect every mailbox in your life today. Start with the accounts where a hidden rule would hurt the most:

• Your main personal email account.
• Your business owner or manager email account.
• Accounting, billing, payroll, banking, or vendor mailboxes.
• Microsoft 365 or Google Workspace admin accounts.
• Website, domain, hosting, and social media recovery email accounts.
• Shared mailboxes used for sales, support, scheduling, invoices, or customer contact.

Step-By-Step: Check Gmail Forwarding And Filters

1. Open Gmail in a browser. Use the full desktop web version so you can see the complete settings area.
2. Click the gear icon, then See all settings. Do not rely only on the mobile app for this check.
3. Open Forwarding and POP/IMAP. Look for any forwarding address you do not recognize. If forwarding is enabled, confirm who owns the destination address and why the forwarding exists.
4. Open Filters and Blocked Addresses. Review every filter. Pay close attention to filters that forward, delete, archive, mark as read, skip the inbox, or apply labels to messages from banks, vendors, customers, Microsoft, Google, Apple, payroll providers, or password reset emails.
5. Remove rules that are not needed. If you cannot explain the rule, do not leave it running. Take a screenshot for your records if the account may have been compromised, then remove the suspicious rule.
6. Change the password and review security. If you found unknown forwarding or filters, change the account password, turn on multifactor authentication, check recovery email and phone settings, and sign out unfamiliar sessions.

Google’s Gmail Help pages explain how automatic forwarding and filters work. Google also notes that if you see a forwarding notice and did not set it up, you should change your password immediately.

Step-By-Step: Check Outlook And Microsoft 365 Rules

1. Open Outlook on the web. Go through the browser version first because it usually shows server-side mailbox rules clearly.
2. Open Settings. Use the gear icon, then go to Mail settings and look for Rules. In some Outlook views this is under Mail > Rules.
3. Review every rule. Look for anything that forwards, redirects, deletes, marks as read, moves to Archive, moves to RSS/Conversation History, or sends messages to a folder you do not normally inspect.
4. Check forwarding separately. Outlook and Microsoft 365 can have a forwarding setting outside the normal rule list. Confirm that mail is not being forwarded to an unknown external address.
5. Remove anything suspicious. If this is a business mailbox, record what you found before deleting it so your IT provider can investigate.
6. Review sign-ins and reset security. For a compromised Microsoft account, Microsoft recommends recovery steps that include changing the password and reviewing account security information. Business Microsoft 365 tenants should also review sign-in logs, MFA status, admin roles, and mail flow settings.

What Suspicious Rules Often Look Like

Not every suspicious rule says “forward all mail to [email protected].” Some are more subtle. Look for rules that:

• Forward or redirect messages to an outside address you do not know.
• Delete messages from Microsoft, Google, Apple, banks, payroll, domain registrars, or security services.
• Mark messages as read so alerts are easier to miss.
• Move invoices, payment notices, wire transfer emails, purchase orders, or password resets to an unusual folder.
• Use vague names like “.”, “1”, “Backup”, “Sync”, “System”, “Update”, or “Admin” without a clear purpose.
• Target words such as password, reset, invoice, payment, wire, MFA, verification, security, domain, hosting, or bank.

Small Business Example

Imagine a small office where the billing mailbox receives vendor invoices and payment questions. A compromised mailbox rule could forward any email containing “invoice,” “ACH,” “wire,” or “payment” to an outside address, then mark those messages as read. The business might keep using the mailbox normally while a scammer watches for opportunities to send fake payment instructions or intercept vendor conversations.

That is why this check is useful even when nothing feels wrong. You are not only looking for malware or spam. You are looking for quiet account behavior that changes where important information goes.

Important Cautions

Do not delete evidence if money, customer data, payroll, or legal records may be involved. If you find suspicious rules in a business mailbox, take screenshots or export the rule details before removing them. Your IT provider may need that information to understand what was exposed.

Do not assume a password change fixes everything. If an attacker created a forwarding rule before the password changed, that rule may keep running. You also need to review sessions, MFA, recovery methods, connected apps, delegated mailbox access, and admin users.

Do not remove legitimate business automation blindly. Some rules move invoices, support tickets, scheduling emails, or customer requests into shared folders. If you are not sure, ask the person who owns the workflow before deleting it.

Do not rely only on desktop Outlook rules. Some rules live on the mail server and some may be visible in Outlook on the web. Check the web settings for Microsoft 365 and Outlook.com accounts.

What Can Go Wrong

• Missed security alerts: a rule can hide warnings about logins, MFA prompts, password resets, or recovery changes.
• Invoice fraud: an attacker watching billing messages may try to change payment instructions or impersonate a vendor.
• Lost customer messages: a bad rule can move real messages to spam, archive, trash, or an unexpected folder.
• Ongoing data leak: forwarding can continue sending copies of future email until someone finds and removes it.
• Broken business workflow: removing a legitimate rule without understanding it can interrupt sales, support, billing, or scheduling.

When To Call The IT Guys

Call The IT Guys if you find unknown forwarding, unknown filters, suspicious rules, unfamiliar devices, strange sign-ins, new recovery methods, unexpected MFA prompts, or email that seems to disappear. You should also get help if a business mailbox handles invoices, payroll, customer information, legal notices, health information, or admin account recovery.

For Microsoft 365 or Google Workspace businesses, a proper cleanup should usually include mailbox rules, forwarding settings, sign-in logs, MFA enrollment, admin roles, shared mailbox permissions, connected apps, recovery information, and employee offboarding records. The mailbox rule is often just the clue, not the whole incident.

Useful Source Links

• Google Help: Automatically Forward Gmail Messages To Another Account
• Google Help: Create Rules To Filter Your Emails
• Microsoft Support: Manage Email Messages By Using Rules In Outlook
• Microsoft Support: How To Recover A Hacked Or Compromised Microsoft Account
• FTC: How To Recover Your Hacked Email Or Social Media Account

Quick Takeaway

Open your email settings, review forwarding and rules, remove anything you cannot explain, and treat unknown rules as a possible sign of account compromise. It is a small check, but it can stop a quiet leak before it turns into a bigger problem.