Skip to main content
Security Alert

Is Your Gmail Secretly
Forwarding to an Attacker?

Business Email Compromise (BEC) attackers compromise Gmail accounts and add hidden forwarding rules — silently copying every email you receive to an address they control. Here is how to find and remove them.

The Threat: Silent Email Forwarding in BEC Attacks

In a Business Email Compromise (BEC) attack, an attacker gains access to your Gmail account — usually through phishing, credential stuffing, or a data breach. Their first action is not to send fraudulent emails. It is to add a forwarding rule.

The forwarding rule sends a copy of every incoming email to an address the attacker controls. You continue to receive your emails normally. Nothing looks different. But the attacker now receives a live copy of your inbox — watching for wire transfer requests, supplier invoices, banking communications, and sensitive business information.

This reconnaissance phase can last weeks or months before the attacker strikes. They learn your email patterns, your suppliers, your executives' writing style, and your payment processes — then use that intelligence to redirect a wire transfer or impersonate your CEO.

The FBI IC3 reported $4.8 billion in BEC losses in 2023. Email forwarding rules are a standard part of the BEC attack chain. A 30-second check of your Gmail settings can determine whether you are currently being monitored.

Step 1: Check Gmail Account-Level Forwarding

Account-level forwarding automatically sends all your incoming email to another address. This is the most powerful form of Gmail forwarding and the most commonly abused by attackers. Check it now — it takes under 60 seconds.

1
Open Gmail on desktop

This cannot be done from the mobile app. You must use Gmail in a browser.

2
Click the gear icon (top right) → "See all settings"

The quick settings panel appears first — you need to click "See all settings" to access the full settings page.

3
Click the "Forwarding and POP/IMAP" tab

This is the fourth tab across the top of the Settings page.

4
Check the Forwarding section

If forwarding is active, you will see a message like "Forward a copy of incoming mail to [address]." Look at that address carefully.

If you see a forwarding address you do not recognize, this is a red flag. Do not dismiss it — an unfamiliar forwarding address almost certainly means unauthorized access.

5
Remove any unauthorized forwarding addresses

Click "remove [address]" next to any address you did not add yourself. Then click "Disable forwarding" to turn off forwarding entirely.

Step 2: Check Gmail Filters for Hidden Auto-Forward Rules

Beyond account-level forwarding, attackers also use Gmail filters to forward specific email types. A filter might forward only emails containing "wire transfer," "invoice," or "payment" — making it harder to detect because most of your email is unaffected.

1
Go to Settings → "See all settings" → "Filters and Blocked Addresses" tab

This is the fifth tab on the settings page.

2
Review every filter in the list

Look at the action column for each filter. Any filter with "Forward to" in its action is potentially suspicious if you did not create it.

3
Click "details" on any filter you do not recognize

This shows the full criteria (what emails trigger it) and the full action (what happens to those emails). A legitimate filter you created yourself will be familiar.

4
Delete any filter that forwards to an unknown address

Click "delete" next to any filter with a "Forward to" action directed at an address you do not recognize.

Red Flags: Signs Your Account Has Been Compromised

Forwarding rules you did not create

Critical

Any forwarding address in Settings → Forwarding that you do not recognize is almost certainly unauthorized.

Filters with "Forward to" you do not recognize

Critical

Especially filters targeting keywords like "invoice," "payment," "wire," "transfer," or financial institution names.

Unknown logins in Recent Activity

High

Check myaccount.google.com/security → "Recent security activity" for logins from unfamiliar devices or locations.

Emails marked as read that you did not open

High

If emails arrive already marked as read, someone else may have opened them before you — a sign of account access.

Third-party apps with broad Gmail access

Medium

Check myaccount.google.com/permissions for apps with "Read, compose, send, and permanently delete all your email from Gmail" permission.

Labels or folders created without your knowledge

Medium

Attackers sometimes create labels to organize emails they are monitoring. Check for unfamiliar labels in the left sidebar.

What to Do If You Find Unauthorized Rules

If you find forwarding rules or filters you did not create, act immediately. The attacker may still have access to your account.

1
[URGENT]Delete the unauthorized forwarding rule or filter

Remove the forwarding address from Settings → Forwarding and POP/IMAP. Delete any suspicious filters from Settings → Filters and Blocked Addresses.

2
[URGENT]Change your Google account password immediately

Go to myaccount.google.com/security → Password. Use a strong, unique password that you have not used elsewhere.

3
[URGENT]Enable 2-Step Verification if not already active

Go to myaccount.google.com/security → 2-Step Verification. Use an authenticator app or hardware key rather than SMS if possible.

4
Review Recent Activity for other unauthorized logins

Go to myaccount.google.com/security → Your devices and Recent security activity. Sign out of all other sessions you do not recognize.

5
Revoke suspicious third-party app permissions

Go to myaccount.google.com/permissions and revoke any apps with Gmail access that you do not recognize or no longer use.

6
Notify relevant parties if sensitive information was exposed

If the attacker may have seen financial information, client data, or sensitive communications, notify affected parties and consider contacting law enforcement or your organization's security team.

Use Gorganizer to Detect Suspicious Email Patterns

Beyond forwarding rules, Gorganizer scans your inbox for BEC patterns, lookalike domains, suspicious sender behavior, and other attack indicators — using 1,200+ detection signals to flag what Gmail misses.

Scan My Gmail for Suspicious Emails

Free scan available · $4.99 one-time to clean · No subscription

Frequently Asked Questions

How do attackers use Gmail forwarding rules against you?+

In BEC attacks, an attacker who gains account access immediately adds a forwarding rule to send all incoming mail to an address they control. This allows them to spy on your communications silently for weeks, learning your email patterns before striking.

How do I check if my Gmail is secretly forwarding emails?+

Open Gmail → gear icon → See all settings → Forwarding and POP/IMAP tab. Any forwarding address listed that you did not add yourself is unauthorized. Also check Settings → Filters and Blocked Addresses for any filter with a "Forward to" action.

Can I tell when a forwarding rule was created?+

Gmail does not show the creation date for forwarding rules. However, you can check your Google account's security activity log at myaccount.google.com/security → Recent security activity to see when settings were changed.

What is the difference between account forwarding and filter forwarding?+

Account-level forwarding (in Forwarding and POP/IMAP) forwards all incoming email. Filter-based forwarding only forwards emails matching specific criteria — attackers prefer this because it is less obvious and more targeted.

How can I prevent this from happening?+

Enable Google 2-Step Verification (hardware key preferred), periodically review your forwarding settings and third-party app permissions, and use Gorganizer to detect suspicious email patterns that may indicate account compromise.