ScamLens
Critical Average Loss: $8,000 Typical Duration: 1-30 days

Email Account Compromise (EAC): How Hackers Hijack Your Inbox

Email Account Compromise (EAC) occurs when attackers gain unauthorized access to legitimate email accounts through credential theft, social engineering, or malware. Unlike Business Email Compromise which targets corporate executives, EAC affects individuals and businesses of all sizes. According to the FBI's Internet Crime Complaint Center, EAC resulted in over $2.7 billion in losses in 2022, with average individual losses reaching $8,000 per incident. Once inside an account, criminals operate silently for days or weeks, studying email patterns, relationships, and financial transactions. They search for sensitive information including tax documents, passwords stored in emails, banking statements, and business invoices. The compromised account becomes a weapon to launch attacks against the victim's contacts, who are more likely to trust emails from a known sender. The sophistication of EAC attacks has increased dramatically. Attackers now use artificial intelligence to mimic writing styles, create convincing email threads by replying to existing conversations, and time their fraudulent requests when victims are traveling or unavailable. The typical EAC incident lasts between 1 to 30 days before detection, during which attackers can drain bank accounts, redirect wire transfers, file fraudulent tax returns, or sell stolen personal information on dark web marketplaces.

Common Tactics How to Identify How to Protect Yourself Real-World Examples Frequently Asked Questions

Common Tactics

  • Credential harvesting through fake login pages: Attackers send emails impersonating legitimate services (Microsoft, Google, banks) with links to convincing replica login pages that capture usernames and passwords when entered.
  • Password spray attacks: Criminals attempt common passwords across thousands of email accounts, targeting providers with weak account security measures or users who reuse passwords across multiple services.
  • Session hijacking through public WiFi: Attackers monitor unencrypted connections on public networks to intercept session cookies that allow access to email accounts without needing passwords.
  • Email forwarding rule creation: Once inside, attackers create hidden inbox rules that automatically forward copies of all incoming emails to external addresses, allowing continued surveillance even after password changes.
  • Targeted spear phishing of high-value accounts: Criminals research victims on social media and professional networks to craft personalized emails containing malware or credential theft links specifically designed for that individual.
  • SIM swapping to bypass two-factor authentication: Attackers convince mobile carriers to transfer a victim's phone number to a SIM card they control, intercepting authentication codes sent via SMS and gaining account access.

How to Identify

  • Unexpected password reset notifications or security alerts that you didn't initiate, particularly multiple failed login attempts from unfamiliar locations or devices shown in your account activity log.
  • Missing emails from your inbox or sent folder, indicating someone has deleted correspondence to hide their tracks, or the appearance of emails marked as read that you never opened.
  • Contacts reporting receiving strange emails from your address, such as urgent requests for money, suspicious links, or out-of-character messages sent at unusual times.
  • Unfamiliar email forwarding rules, filters, or inbox settings that you didn't create, particularly rules that automatically delete or redirect specific types of messages like bank notifications.
  • Login notifications from locations where you've never been, or at times when you weren't using your device, visible in security activity logs provided by most email services.
  • Inability to log into your account with your correct password, or finding that your recovery email address or phone number has been changed without your authorization, blocking your access to account recovery.

How to Protect Yourself

  • Enable multi-factor authentication (MFA) using authenticator apps like Google Authenticator or Microsoft Authenticator rather than SMS codes, which are vulnerable to SIM swapping attacks and provide significantly stronger account protection.
  • Create unique, complex passwords of at least 16 characters for your email account using a password manager like Bitwarden or 1Password, and never reuse this password on any other website or service.
  • Regularly review your email account security settings at least monthly, checking for unauthorized forwarding rules, unknown devices with access, unfamiliar recovery contacts, and recent login activity from unexpected locations.
  • Avoid accessing email accounts on public WiFi networks without using a reputable VPN service, or if you must, never enter passwords and only use previously authenticated sessions with current security certificates.
  • Set up email alerts for critical account changes including password modifications, recovery information updates, forwarding rule creation, and logins from new devices to detect unauthorized access immediately.
  • Create a separate email address exclusively for financial accounts and password resets that you never publicize or use for online shopping, social media, or newsletter subscriptions, reducing its exposure to data breaches.

Real-World Examples

A small business owner received what appeared to be a Microsoft 365 security alert stating unusual activity had been detected on her account. The email included a link to "verify your identity" which led to a convincing replica of the Microsoft login page. After entering her credentials, attackers accessed her email and studied her business correspondence for two weeks. They then sent an email to her accountant, using an existing invoice thread, with updated wire transfer instructions for a $47,000 payment, which was sent before the fraud was discovered.

A freelance graphic designer noticed he couldn't access his Gmail account one morning. When he tried to reset his password, he discovered his recovery phone number had been changed. The attacker had used credentials purchased from a data breach on the dark web, accessed his email, and immediately changed security settings. Over five days, the criminal sent phishing emails to the designer's 300+ clients, resulting in 23 compromised accounts before Google suspended the account. The designer lost several long-term clients who blamed him for the breach.

A retired couple's email account was compromised through a public WiFi network at their hotel while on vacation. The attackers created a hidden forwarding rule and monitored emails for three weeks. When the couple's financial advisor sent their quarterly investment summary, the criminals intercepted it, created a fake urgent email about a time-sensitive investment opportunity, and convinced the couple to transfer $125,000 to a fraudulent account. The crime wasn't discovered until the couple returned home and contacted their actual advisor about the "investment."

Frequently Asked Questions

How do attackers get my email password in the first place?
The most common methods are phishing emails with fake login pages, data breaches where your password from another site is exposed and then tested on your email, malware that records keystrokes, and password spray attacks that try common passwords like "Password123!" across millions of accounts. If you reuse passwords across multiple sites, a breach on any one site can compromise your email.
Can attackers still access my email after I change my password?
Yes, if they've created forwarding rules, added recovery email addresses they control, or registered their device as "trusted" before you changed your password. This is why simply changing your password isn't enough—you must review all account settings, remove unknown devices, delete suspicious forwarding rules, and enable multi-factor authentication to fully regain control.
How can I tell if someone is currently reading my emails?
Check your email provider's security activity or recent device log (found in account settings for Gmail, Outlook, and Yahoo). Look for active sessions from unfamiliar IP addresses, locations you've never visited, or devices you don't own. Most providers show when and where each login occurred and allow you to remotely sign out suspicious sessions immediately.
What should I do immediately if I discover my email has been compromised?
First, change your password immediately from a secure device, then enable multi-factor authentication. Review and delete any unauthorized forwarding rules, recovery emails, or phone numbers. Sign out all other sessions in your security settings. Contact your bank if financial information was in your emails, and notify your contacts that your account was compromised to warn them about potential phishing attempts.
Is business email more at risk than personal email accounts?
Business email accounts are often more valuable targets because they contain financial information, client data, and business relationships that can be exploited for larger fraudulent transactions. However, personal email accounts are attacked more frequently because they often have weaker security. The FBI reports that business-related email compromise results in higher average losses ($120,000+ for corporate BEC), but personal email account compromise affects far more victims overall with losses averaging $8,000 per incident.

Think you encountered this scam?