How Criminals Hack Your Email Account — And How to Take It Back

Your email account is the master key to your digital life. Most other accounts — banking, government services, social media, and every online service you use — can be taken over by anyone who controls your email, simply by requesting a password reset link. This is why email account compromise is the starting point for most serious financial fraud, identity theft, and business email compromise.

How Email Accounts Are Compromised

Phishing attacks are the most common method — a convincing fake email directs you to a fake login page where you enter your credentials, which are immediately captured. Credential stuffing uses email and password combinations from previous data breaches, tested automatically against major email providers — if you reused your email password on a site that was later breached, your email account may already be compromised. Malware on your device captures credentials as you type them. SIM swapping — where an attacker transfers your phone number to their control — can be used to intercept SMS verification codes and reset your email password.

What Attackers Do With Access to Your Email

Once an attacker has access to your email, they move quickly. They typically set up email forwarding rules to silently copy all incoming emails to themselves — this continues even after you change your password if you do not check for and remove the rules. They search your email for bank statements, tax documents, account credentials stored in emails, and sensitive personal information. They use your email to reset passwords to other accounts. And they monitor your email for business communications they can exploit through invoice fraud or other social engineering. The forwarding rules are the most dangerous — attackers maintain persistent access this way.

Warning Signs Your Email Has Been Compromised

Contacts reporting they received suspicious emails from you that you did not send. Emails appearing in your Sent folder that you did not write. Login notifications from unusual locations, countries, or devices you do not recognise. Unexpected password reset emails for accounts you did not request resets on. Your email password suddenly not working — the attacker has changed it. Replies from contacts referencing messages you did not send. And in the case of forwarding-based access, no visible signs at all.

How to Recover and Protect Your Account

Use your provider's account recovery process to regain access. Immediately after regaining access, check Security settings for active sessions — log out all other sessions. Review email forwarding rules and delete any you did not set up. Review email filter rules for anything redirecting emails to trash or to external addresses. Change your password to something strong and unique. Enable MFA. Check recovery email address and phone number and update if necessary. Then change passwords on all accounts linked to this email address. For business email compromise incidents, contact IntrusionX for incident response support — we can help preserve evidence and implement the controls to prevent reoccurrence.

Preventing Business Email Compromise

For business email accounts, the consequences of compromise extend beyond personal inconvenience — attackers with access to your business email can intercept client communications, monitor for financial transactions, and insert themselves into payment processes. Implementing DMARC, DKIM, and SPF on your business email domain prevents criminals from sending spoofed emails using your domain. Configuring Microsoft 365 or Google Workspace with security defaults and conditional access policies provides additional protection. And enabling audit logging means that if a compromise occurs, you have the records needed to understand what was accessed and for how long.

The Email-as-Master-Key Problem

The reason email security matters so much is that email is the recovery mechanism for virtually every other account you have. Password reset instructions go to email. Account verification goes to email. MFA backup codes often go to email. This means that controlling someone's email effectively gives control over their entire digital life. This interconnection is why email MFA must be implemented first, before any other account — and why losing email access in a phishing attack is so damaging. IntrusionX can assess and secure your email environment — both for individuals and for Melbourne businesses — contact us for a free consultation.