How can users detect unauthorized login attempts?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You get a notification saying someone logged into your account from a new device. Is that you on your phone, or someone else halfway across the world? Knowing how to read these alerts, and what to look for beyond them, is one of the most practical security habits you can build.

Most major email providers have built-in activity logs. Here's where to find them:

  • Gmail: Scroll to the bottom of your inbox and click "Details" next to "Last account activity." You'll see recent login times, device types, and IP addresses. Google also sends alerts for new device sign-ins automatically.
  • Outlook / Microsoft 365: Go to your Microsoft account security page and check "Recent activity." It shows every sign-in attempt, successful or not, with location data.
  • Yahoo Mail: Under Account Security, you can view recent sign-in activity and set up notifications for unfamiliar sign-ins.
  • ProtonMail: Check Settings under Security for active sessions and sign-in logs.

Beyond the activity log, there are behavioral warning signs that often show up before you even think to check your security settings. Watch for these:

  • Password reset emails you never requested
  • Bounce messages for emails you didn't send
  • Contacts asking about strange messages from your address
  • Unexpected account lockouts or "too many failed attempts" notices
  • Sent folder items you don't recognize
  • New forwarding rules you didn't create (this one is sneaky, attackers love this)

That last one is worth pausing on. Account takeover attackers often don't change your password at all. They just set up a silent forwarding rule so every email you receive also goes to them. You'd never know unless you checked your mail settings directly.

A quick checklist to run right now:

  1. Open your email provider's activity log and look for unrecognized IPs or locations
  2. Check active sessions and log out anything you don't recognize
  3. Review your forwarding and filter rules for anything unfamiliar
  4. Check connected apps and third-party OAuth access (revoke anything you don't actively use)
  5. Confirm your recovery email and phone number haven't been changed

On alerts and alert fatigue: enable new-device notifications and unusual-location warnings, then leave it there. Don't sign up for every possible ping or you'll start ignoring them all. The goal is to get notified when something genuinely doesn't fit your normal pattern, not to receive noise every time you check email from a coffee shop.

If something does look wrong, the next question is what your provider does automatically to protect your account. That's covered in how mail providers lock accounts after a compromise.

And if your account is showing signs of active compromise right now, don't wait. Our SOS hotline is free and we actually pick up.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a personalized security checklist for your email account

I want to review my email account for signs of unauthorized access. Based on my provider (your email provider, e.g. Gmail, Outlook, Yahoo) and my situation (personal use / business account / ESP login), can you give me a ranked checklist of the most important things to check first? Please include where to find each setting and what a suspicious result actually looks like.

Edit the yellow boxes, then send to the AI of your choice.