For many of us, platforms such as Slack, Telegram, and social media have eclipsed our email address as the home base from which all our online communication happens. Nonetheless, to sign up for their services, these platforms require one thing in common: our email.
Email is still considered an authoritative source of identity check. It is used for password resets, 2FA authorization, backup verification for other emails…the list goes on. Friends and family don’t think twice when they receive an email from you unless the content is demonstrably suspicious.
Recent reports show that email scam is the costliest type of cybercrime, with nearly $2.4 billion being stolen in 2021 alone. Part of the reason for its success relative to other scams and cybercrimes is that email scam has become quite sophisticated. We know to hang up the phone when "Microsoft Support" calls to get remote access to our laptop so they can remove that virus that we didn't know we had.
We’re going to cover 5 nefarious things hackers can do with your email address, and 5 actions you can take right now to protect yourself.
5 ways a hacker can exploit your email address
We spread our email addresses across the web each time we create an account or communicate online. Soon, they disappear beyond our knowledge or reach, either because we forget to whom we’ve given them or through leaks and breaches. We think of our email address as something fairly public; it's hard to do anything online without it.
Once you understand how your email can be exploited, you’ll be equipped to use the tips at the end of this article to keep yourself safe.
Cybercriminals have plenty of reasons to want your email. As Mika Aalto told Spiceworks, “Every breach begins with a malicious email.”
1. Spoof your email address to scam friends and family
Email spoofing is when a scammer uses code to manipulate the header of the email to show a legitimate domain, even though the email did not come from that domain. The term “spoofing” is sometimes also used to describe look-alike emails that are designed to deceive the recipient, such as [email protected]. Unless you’re consciously checking the From address when you receive an email, there’s a chance your brain auto-corrected the “r” and “n” into an “m”. And that’s exactly what the scammer wants.
This unicode inspector is a great tool to catch look-alike foreign characters and other trickery.
Here’s another example: you get an email from your friend, [email protected].
Now, email providers show email addresses in lowercase, but our brain is unlikely to be suspicious of a capitalized name. Pasting the email into the unicode inspector, however, reveals that it’s a lowercase “L”, not an “i”.
For a deeper dive into email spoofing, check out this excellent video by ThioJoe for many detailed examples of different ways scammers will attempt to deceive you.
2. Hack into your online accounts
As mentioned earlier, your email is the foundation for your personal login credentials to all your online accounts. Many experts recommend having at least 4 email addresses for different online applications so that if one account gets compromised the damage is minimized.
Once a hacker has confirmed the email addresses that match your identity, they can proceed to try it with password combinations on innumerable accounts - a cyberattack known as credential stuffing.
The best way to protect yourself, which we’ll discuss more below, is to never reuse passwords and always use the best 2FA available.
3. Gather personal information to socially engineer you or others
Your email reveals more about you than you probably think. It can be used to track down anything from your social media to Spotify account and where you work. Once a hacker matches your phone number to your email, they're ready to run a sophisticated social engineering attack. With enough personal information harvested, they can convincingly impersonate you or someone you know through spoofing. And if they hack all the way into your email, they can send convincing emails as you.
Your email address can also be used on the dark web to identify and purchase relevant leaked and stolen personal information. Check sites like haveibeenpwned to see if your information is out there. Real-time monitoring is also available through services such as Echoset.net.
4. Hack your personal email and jeopardize your online and in-person life
Given that email is the primary identifier and source for password resets, if someone hacks your email they can typically reset the passwords for ALL your online accounts. Once into an account, they can often change the associated email address with the click of a button - and you can say goodbye to that account forever.
The cybercriminal will also be able to see tickets and hotel reservations that come to your email. Assuming they’ve scraped your home address, they can use this information to make a move on your personal property.
5. BEC (business email compromise)
Cybercriminals may simply want to use you as a gateway to your company. According to the FBI, BEC is one of the most financially damaging online crimes.
As we’ve seen from the plenitude of successful breaches this year, there are several possible avenues to breach a company. One common tactic in a BEC attack is to send an urgent email posing as the CEO or other executive. The employee, fearing retribution, ignores otherwise suspicion-arousing signs of a scam and cooperates with the directive, or at the very least opens the attachment or clicks the link. This may be all the attacker needs to gain a foothold.
Make it clear to everyone you work with that treating anything other than face-to-face communication with an extra helping of caution will never be punished. You need your team on your side when it comes to keeping your business safe.
How do I protect my email?
1. Set up 2FA
Use 2FA to maximize security for your email accounts. Of course, we recommend using 2FA on all accounts that allow it - even “unimportant” ones. Security experts recommend using time-dependent codes through apps such as Authy when possible, as they are much more difficult to get ahold of than SMS-based 2FA.
Many email providers support physical security keys such as Yubikey if you want to take 2FA to the next level.
2. Don’t reuse passwords
You’ve heard the speech: “use unique, strong passwords”. We’ve certainly done our fair share driving the point home. Having said that - please get a password manager, and don’t reuse passwords.
If you share passwords with colleagues, teams, or family members, TeamPassword offers one of the most user-friendly and safe vaults out there. And it’s just as easy to manage your private records there as well. Do you remain stubbornly unconvinced by the offer of a free, no-commitment trial? Check out our reviews on G2.
If you just need a one-person solution, there are plenty of free options out there. Setting up a vault takes a bit of time, but don’t let that stop you from securing your accounts. There’s no excuse to reuse passwords.
3. Check what devices are signed into your email
For Google accounts, click on Manage your Google Account > Security > scroll down to Your Devices > manage all devices. This setting's location may differ based on your email provider.
Sign out that old laptop you’ve got sitting in a drawer that hasn’t been updated in 3 years, and remove your parent’s desktop that you used to check email once. In general, check that you recognize all device activity. The only devices with access should be ones whose security you control.
4. Check data breach reports
Check sites such as haveibeenpwned to see if your email or passwords are part of any breaches or leaks. If your email address has been significantly impacted, you may need to migrate to a new address. Real-time monitoring is available through services such as Echosec and Whatsup Gold.
Once your email address, passwords, or personal documents are out there, the best you can do is take appropriate reactive steps to minimize the possibility of that information being used against you.
If your email is the culprit, immediately change all passwords on connected accounts. Cybercriminals will use your email to credential stuff thousands of online accounts in the off chance that they can break in. Seriously, don't reuse passwords.
If your driver's license, passport, or SSN numbers were leaked, report this to your local DMV, U.S. State Department, and Social Security Administration, respectively.
To avoid being impacted by basic data leaks, look into setting up temporary aliases for use with different online accounts so you can more easily identify when and where you’ve been compromised.
5. Practice (close to) Zero Inbox
Even if you’re not ready to fully commit to the inbox zero lifestyle, you can utilize many of its strategies to greatly reduce stress around handling emails. If your inbox is out of control, you may miss a suspicious login attempt or password reset message. Plus, if you’re stressed and pressed for time when sorting through your emails, you’re less likely to exercise the caution and attention to detail required to catch spoofed emails and false links.
What can a hacker do with just my email address and not my password?
- Send phishing emails to your contacts, pretending to be you and asking for money, personal information, or malicious links.
- Sign-up for unwanted services or subscriptions that may charge you fees or send you spam.
- Use your email address to learn more about you, such as your name, location, interests, or online activity.
Can my email account be hacked without a password?
Yes, your email account can be hacked without a password if you click on a malicious link, download an infected attachment, or use a compromised public Wi-Fi network. Hackers use these methods to access your email account and steal your personal information or send spam messages from your account. To prevent this, always use a strong password, enable two-factor authentication, avoid suspicious emails and websites, and use a secure VPN when connecting to public Wi-Fi.
How much info can a hacker get from just my email address?
A threat actor can discover your name, location, online accounts, contacts, and even your SSN if your email address was part of a serious breach. They can use this information to launch phishing attacks, spam you, steal your identity, or compromise your security. Check haveibeenpwned to see if your email was leaked.
How do hackers get into accounts without a password?
- Phishing: Sending fake emails or websites that look legitimate and asking you to enter your password or other sensitive information.
- Social engineering: Tricking you into giving away your password or other credentials by pretending to be someone you trust or someone who needs your help.
- Malware: Installing malicious software on your device that records your keystrokes, steals your data, or gives the hacker remote control over your device.
- App permissions: Exploiting apps that you have authorized to access your account and use them to post, send, or change things on your behalf.
To protect yourself from these attacks, you should use different passwords for different accounts, use a password manager, enable two-factor authentication on your email, avoid clicking on suspicious links or attachments, update your software regularly, and revoke access to apps that you don't use or trust.
How does TeamPassword keep your email and accounts safe?
If using password best practices is too hard neither you nor your team will do it. TeamPassword makes it easy to store, update, and share credentials without them leaving an encrypted environment.
Storing your login credentials in a password manager minimizes damage in the event that your email gets breached. People who don’t use a password manager may store passwords in an excel spreadsheet which they email to others, or a Google Sheet which can be accessed if their Google account is compromised.