Gmail

Step-by-step guide to securing your Gmail account

Before You Start

Is it safe to do this now?

Before making changes, consider whether the other person might notice. Changes to your Google account can trigger:

  • Email notifications to your Gmail inbox (e.g., “New sign-in from [device]”, “Recovery options changed”)
  • Alerts on other devices signed into your account
  • “Critical security alert” emails when passwords are changed

If someone has access to your inbox or monitors your devices, they may see these notifications. You may want to wait until you have a safe window, or be prepared to delete notification emails immediately.

Important: If you’re signed in on a shared computer or a device the other person controls, they can see your Gmail in real time. Prioritise signing out of those devices first.

What you’ll need

  • Access to your Gmail account (via a web browser or the Gmail app)
  • Access to your phone (for verification codes if 2-Step Verification is enabled)
  • Your current password
  • A new, secure email address (if your recovery email may be monitored)
  • Approximately 20-30 minutes of uninterrupted time

Consider doing first

  • Checking that your phone isn’t being monitored
  • Having a new, private email address ready (for recovery email changes)
  • Deciding whether to secure this account or start fresh with a new one

Quick Contacts

MethodDetailsBest for
Google Security Checkupmyaccount.google.com/security-checkupSelf-service security review
Google Help Centresupport.google.com/accountsStep-by-step guides
Account Recoveryaccounts.google.com/signin/recoveryIf locked out
Google One supportPhone/chat (subscribers only)If you pay for Google One

Note: Free Gmail accounts have very limited human support. Most account security is self-service through the Google Account dashboard.

What to say (if using Google One support):

“I need help securing my account. I’m concerned someone else may have access.”

You don’t need to explain your full situation. Keep it simple and factual.

Check Who Has Access

This is the most important step. Take your time to review each area thoroughly.

Check recent account activity

Google keeps a log of recent activity on your account:

  1. Go to myaccount.google.com/device-activity
  2. Review the list of devices that have accessed your account
  3. For each device, you can see:
    • Device type and name
    • Location (approximate, based on IP address)
    • When it was last used

What to look for:

  • Devices you don’t recognise
  • Locations that don’t match where you’ve been
  • Activity at times you weren’t using your account

Check “Last account activity” in Gmail

Gmail has a separate activity log at the bottom of your inbox:

  1. Open Gmail in a web browser
  2. Scroll to the very bottom of the page
  3. In the bottom-right corner, find “Last account activity”
  4. Click Details
  5. Review the access type, location, and time of recent sessions

This shows you IP addresses and whether access was via browser, mobile, or POP/IMAP.

Check third-party app access

Other apps and services may have permission to access your Gmail or Google account:

  1. Go to myaccount.google.com/permissions
  2. Review the list of “Third-party apps with account access”
  3. Click on each app to see what permissions it has

What to look for:

  • Apps you don’t recognise or didn’t authorise
  • Apps with extensive permissions (reading email, accessing Drive)
  • Apps someone else may have connected

Check email forwarding rules

Someone could be secretly receiving copies of all your emails:

  1. Open Gmail in a web browser
  2. Click the gear icon (top right) and select See all settings
  3. Go to the Forwarding and POP/IMAP tab
  4. Check “Forwarding:” at the top
    • It should say “Forwarding is disabled” if not in use
    • If there’s an email address listed, check if you recognise it

Important: If you find an unknown forwarding address, don’t remove it yet. First, document it (take a screenshot or note it down), then see Remove Unwanted Access.

Check filters that might hide or forward emails

Filters can be set up to automatically delete, archive, or forward certain emails without you seeing them:

  1. In Gmail settings, go to the Filters and Blocked Addresses tab
  2. Review each filter carefully
  3. Look for filters that:
    • Forward emails to another address
    • Automatically delete emails
    • Skip the inbox (archive immediately)
    • Mark as read automatically

Red flag: Filters targeting emails from banks, security alerts, or password reset messages.

Check recovery email and phone

Someone may have added their own recovery options to maintain access:

  1. Go to myaccount.google.com/signinoptions/rescuephone
  2. Check the recovery phone number - is it yours?
  3. Go to myaccount.google.com/signinoptions/rescueemail
  4. Check the recovery email - is it yours?

Warning: If these have been changed to numbers or emails you don’t control, someone could use them to regain access after you change your password.

Remove Unwanted Access

Once you’ve identified what needs removing, work through these steps systematically.

Sign out all other devices

To immediately remove access from all devices except the one you’re using:

  1. Go to myaccount.google.com/device-activity
  2. Click on any device you want to remove
  3. Click Sign out
  4. Repeat for each suspicious device

Or sign out everywhere at once:

  1. Go to Gmail on the web
  2. Scroll to the bottom and click Details (under “Last account activity”)
  3. Click Sign out of all other web sessions

Note: This only signs out web sessions. You’ll need to remove mobile devices individually from the device activity page.

Remove third-party app access

  1. Go to myaccount.google.com/permissions
  2. Click on any app you want to remove
  3. Click Remove Access
  4. Confirm by clicking OK

When in doubt, remove it. You can always re-authorise an app later if needed.

Remove email forwarding

  1. Go to Gmail settings (gear icon > See all settings)
  2. Go to the Forwarding and POP/IMAP tab
  3. Under “Forwarding:”, select Disable forwarding
  4. Click Save Changes at the bottom

Remove suspicious filters

  1. Go to Gmail settings > Filters and Blocked Addresses tab
  2. Find any suspicious filters
  3. Click delete next to each one you want to remove
  4. Confirm the deletion

Change your password

Do this after removing devices and access, so the old password is no longer useful:

  1. Go to myaccount.google.com/signinoptions/password
  2. You may need to sign in again
  3. Enter a new, strong password
  4. Use a password you haven’t used anywhere else
  5. Don’t use information someone could guess (birthdays, pet names, etc.)

Tip: Consider using a passphrase - a series of random words that’s long but memorable. For example: “purple-elephant-tuesday-garden”

Update recovery options

Replace any recovery email or phone that might be compromised:

  1. Go to myaccount.google.com/signinoptions/rescueemail
  2. Click on the recovery email
  3. Enter a new email address that only you can access
  4. Repeat for recovery phone at myaccount.google.com/signinoptions/rescuephone

Important: If you don’t have a safe alternative, you can remove recovery options entirely, but this makes account recovery harder if you forget your password.

Lock Down Your Account

Once you’ve removed unwanted access, add extra protection.

Enable 2-Step Verification

2-Step Verification (2FA) means someone needs both your password AND access to your phone to log in:

  1. Go to myaccount.google.com/signinoptions/two-step-verification
  2. Click Get started
  3. Sign in again if prompted
  4. Choose your second step:
    • Google prompts (recommended) - tap “Yes” on your phone
    • Authenticator app - enter a code from an app like Google Authenticator
    • Text message/call - receive a code by SMS
    • Security key - physical USB/NFC key (most secure)

Which to choose:

  • If you’re confident your phone is secure, Google prompts are convenient
  • If you’re unsure about your phone, use an authenticator app on a device only you control
  • Text messages are better than nothing, but can be intercepted if someone has access to your phone

Generate backup codes

If you lose access to your phone, backup codes let you log in:

  1. After enabling 2-Step Verification, go to myaccount.google.com/signinoptions/two-step-verification
  2. Scroll down to Backup codes
  3. Click Show codes
  4. Write these down and keep them somewhere safe (not on your phone or in your email)

Important: Each code can only be used once. Get new codes if you’ve used several.

Review app-specific passwords

If you use Gmail with email apps that don’t support 2-Step Verification, you may have created “app passwords”:

  1. Go to myaccount.google.com/apppasswords
  2. Review any app passwords that exist
  3. Remove any you don’t recognise or no longer need

Run Google Security Checkup

Google’s Security Checkup is a useful tool that reviews your account security in one place:

  1. Go to myaccount.google.com/security-checkup
  2. Review each section:
    • Your devices
    • Recent security events
    • 2-Step Verification
    • Third-party access
    • Gmail settings
  3. Follow any recommendations marked with yellow or red warnings

Make this a regular habit - run it monthly if you’re concerned about ongoing access.

Get Confidential Support

Google’s support limitations

Google provides limited human support for free Gmail accounts. Most security actions are self-service through the dashboards described above.

If you pay for Google One:

  1. Go to one.google.com/support
  2. You can request phone or chat support
  3. Say: “I need help securing my Google account. I’m concerned about unauthorised access.”

Support through your phone provider

If your Gmail is linked to an Android phone:

  • Your mobile provider may be able to help with basic account issues
  • However, they cannot access your Gmail directly

Consider Refuge Tech Safety

For specialist advice on technology-facilitated abuse:

  • Visit refugetechsafety.org
  • They provide guidance specifically for people experiencing abuse
  • They can advise on securing email and other accounts

If You’re Locked Out

If you can’t access your Gmail account:

Account recovery

  1. Go to accounts.google.com/signin/recovery
  2. Enter your email address
  3. Google will try various recovery methods:
    • Sending a code to your recovery email
    • Sending a text to your recovery phone
    • Asking security questions
    • Verifying via a device you’ve used before

If recovery options have been changed

This is more difficult. Try:

  1. Go through the recovery flow at accounts.google.com/signin/recovery
  2. Answer as many questions as possible about your account
  3. Use a device and location you’ve used to access the account before
  4. Google may ask you to wait 24-72 hours for security reasons

If someone else has taken over your account

  1. Go to support.google.com/accounts/contact/hijacked
  2. Follow the steps for a hijacked account
  3. You’ll need to prove the account is yours

Documentation that helps:

  • When you created the account
  • Old passwords you remember
  • Contacts you frequently email
  • Labels or folders you created
  • Other Google services linked to the account

Starting Fresh

Sometimes it’s safer to create a new email account rather than try to secure one that may be compromised.

When to consider a fresh start

  • You’re not sure what access has been granted
  • You can’t check all the security settings safely
  • The account has been shared for a long time
  • You want a clean break with no hidden access

Creating a new Gmail account

  1. Go to accounts.google.com/signup
  2. Use information that isn’t easy to guess:
    • Don’t include your full name if it could be searched
    • Avoid birth years in the email address
  3. Use a recovery email and phone only you can access
  4. Enable 2-Step Verification immediately

Keeping your new account private

  • Don’t link it to your old account
  • Don’t use the same recovery email or phone
  • Consider using a different browser or device initially
  • Don’t sign in on shared or monitored devices
  • Consider a VPN if you’re concerned about location tracking

Migrating important emails

If you need to keep copies of important emails:

  1. Use Google Takeout to download your data
  2. Select Gmail and choose the MBOX format
  3. You can then import these to your new account if needed

Warning: Only do this from a safe device. The download includes all your emails.

Red Flags That Suggest Compromise

Watch for these warning signs:

  • “New sign-in” alerts you didn’t trigger
  • Password reset emails you didn’t request
  • Emails in “Sent” you didn’t write
  • Emails disappearing or being marked as read before you see them
  • Someone knowing the contents of your emails
  • Apps you don’t recognise in your connected apps list
  • Recovery options changed without your knowledge
  • Replies to emails you never received (forwarding may be enabled)
  • Security alerts from Google you don’t understand

If you notice any of these, work through this guide systematically, or consider starting fresh with a new account.

Important Reminders

Email is the key to everything

Your email account is often used to reset passwords for other accounts - banking, social media, shopping. If someone controls your email, they can potentially access many other services.

Check linked Google services

Your Gmail account is linked to your entire Google account. If you’ve secured Gmail, you’ve also secured:

  • Google Drive (documents, photos)
  • Google Calendar (your schedule)
  • Google Maps (location history)
  • Google Photos (your images)
  • YouTube (watch history, subscriptions)
  • Any Android devices signed in

Consider reviewing privacy settings for each of these services too.

Location history

Google may be tracking your location. To review and disable:

  1. Go to myaccount.google.com/activitycontrols
  2. Look for “Location History”
  3. You can pause this or delete past location data

Additional Support

Google resources

Technology-facilitated abuse support

External support

Last verified: December 2025

If anything on this page is out of date, please contact us.