Skip to main content
BEC Security Check

Check Your Gmail for
Silent Forwarding Rules

Silent email forwarding is the #1 technique in Business Email Compromise attacks. An attacker gains access to your Gmail account and adds a forwarding rule — your inbox looks normal, but every email you receive is being copied to them. Here is how to check in under 2 minutes.

Run the Manual Check →Scan My Inbox for BEC Signals
$2.9B
BEC losses in 2024 (FBI IC3)
1 in 5
BEC attacks use email forwarding
30 sec
Time to check your forwarding settings

Gmail Forwarding Rules Checklist

Follow these steps in order. Each takes under 30 seconds. This must be done on a desktop browser — the Gmail mobile app does not expose forwarding settings.

1
Go to Gmail Settings

Open Gmail on desktop (mobile app does not show forwarding settings). Click the gear icon in the top-right corner, then click "See all settings."

Gmail → Gear icon → See all settings
2
Open "Forwarding and POP/IMAP" tab

Click the "Forwarding and POP/IMAP" tab — it is the fourth tab across the settings page header.

Settings → Forwarding and POP/IMAP
3
Check the Forwarding section for unknown addresses

Look at the Forwarding section at the top. If it shows a forwarding address you do not recognize, this is a critical red flag. Note the full email address.

Forwarding section → Any address listed
4
Check "Filters and Blocked Addresses" tab for hidden auto-forwards

Go to the "Filters and Blocked Addresses" tab (fifth tab). Scroll through every filter and look for any filter action that says "Forward to." Attackers prefer filter-based forwarding because it only copies high-value emails.

Settings → Filters and Blocked Addresses
5
Review Google Account recent activity

Visit myaccount.google.com/security and check "Recent security activity" for unfamiliar logins. If forwarding rules were added by an attacker, you should also see unauthorized login events.

myaccount.google.com → Security → Recent activity

Red Flags to Watch For

Not all forwarding rules are malicious — you may have set up legitimate auto-forwarding yourself. These are the specific patterns that indicate unauthorized access.

Forwarding to a freemail provider you do not control

Critical

A forwarding rule pointing to a Gmail, Hotmail, Yahoo, or ProtonMail address you did not create is the primary BEC indicator. Legitimate auto-forwarding goes to corporate systems, not free consumer accounts.

Forwarding address you have no memory of adding

Critical

Even if the address looks legitimate, if you have no memory of setting it up, treat it as unauthorized. Check your Google account security log for when the setting was changed.

Multiple forwarding rules covering different criteria

High

Attackers sometimes create redundant rules to ensure they keep receiving copies even if one rule is discovered and deleted. Two or more forwarding rules is unusual for most users.

Filters targeting financial keywords

High

Filter-based forwarding on terms like "invoice," "payment," "wire transfer," "bank," or supplier names indicates targeted BEC reconnaissance — the attacker wants financial data specifically.

Forwarding rule added recently (check security log)

Medium

A forwarding rule added in the last 30–90 days that you do not recognize corresponds with when attackers typically gain access. Cross-reference with your security activity log for the creation date.

If You Find an Unauthorized Forwarding Rule

Act immediately. If an attacker added a forwarding rule, they still have — or had — access to your account. Speed matters: every day the rule runs, more of your email is compromised.

  1. 1Delete the forwarding rule (Settings → Forwarding and POP/IMAP → remove address) and any suspicious filters.
  2. 2Change your Google account password immediately at myaccount.google.com/security.
  3. 3Enable 2-Step Verification using an authenticator app or hardware key — not SMS.
  4. 4Sign out all other sessions: myaccount.google.com/security → Your devices.
  5. 5Revoke suspicious third-party app permissions at myaccount.google.com/permissions.
  6. 6If financial communications were exposed, notify your bank, clients, or IT security team.

Scan My Inbox for BEC Signals

Beyond forwarding rules, Gorganizer scans your Gmail inbox for BEC indicators: lookalike sender domains, reply-to injection, impersonation patterns, and 1,751+ other threat signals.

Scan My Inbox for BEC Signals →

Free scan · $4.99 one-time cleanup · No subscription required

Frequently Asked Questions

What is silent email forwarding and why is it dangerous?+

Silent email forwarding is when an attacker adds a Gmail forwarding rule after compromising your account, sending a copy of every incoming email to an address they control. You continue receiving mail normally. The attacker silently monitors your inbox for weeks before striking with fraudulent wire transfers or impersonation. The FBI IC3 reported $2.9 billion in BEC losses in 2024.

How do I check Gmail forwarding settings?+

Open Gmail on desktop. Click the gear icon then "See all settings." Click "Forwarding and POP/IMAP." Any listed address you do not recognize was added without your authorization. Also check Settings → Filters and Blocked Addresses for filters with "Forward to" actions.

Is filter-based forwarding more dangerous than account-level forwarding?+

Both are dangerous, but filter-based forwarding is harder to detect. It only copies specific emails — for example, those containing "invoice" or "wire transfer" — so most of your inbox is unaffected and you are less likely to notice. Account-level forwarding copies everything but is easier to find in settings.

Back to Tools