eSafety 101
Published on
Start hereDigital safety basics · Part 12

How to Protect Your Email Account

Quick read

For everyone

Main point

Main point: your email account is one of the most important accounts to protect.

If a criminal gets into your email, they may be able to reset passwords, read private messages, find invoices, impersonate you, target your contacts, or take over other accounts.

Start with these habits:

  • Use a strong, unique password for your email.
  • Turn on multi-factor authentication.
  • Keep your recovery phone number and recovery email up to date.
  • Check for unknown devices or sign-ins.
  • Be careful with links, attachments, and sign-in pages.
  • Do not share security codes or approve sign-ins you did not start.

If you only improve one account today, make it your email account.

A safer habit: treat your email like the key to your online life. Protect it before anything else.

A little deeper

For curious readers

Context

So far in this series, we have focused on slowing down, checking messages and websites, verifying payment details, and building safer security habits.

Now we are looking at one of the accounts that matters most: your email.

Email is important because many other accounts depend on it. When you forget a password, the reset link usually goes to your email. When a company sends receipts, alerts, documents, or account changes, they often go to your email too.

This means your inbox can tell a criminal a lot about you.

It may contain:

  • Password reset emails.
  • Banking and payment alerts.
  • Invoices and receipts.
  • Travel bookings.
  • Identity documents.
  • Work messages.
  • Family and contact details.
  • Account names and usernames.
  • Clues about which services you use.

If a criminal controls your email, they may be able to control much more than your email.

They may try to reset your passwords, read private information, find payment details, contact people you know, or send scam messages that look like they came from you.

Step 1: Use a unique password

Your email password should not be reused anywhere else.

If another website is hacked and you used the same password there, criminals may try that password on your email account.

A password manager can help you create and remember a strong password without needing to memorise it.

Step 2: Turn on multi-factor authentication

Multi-factor authentication adds another check after your password.

This means that even if someone steals your password, they may still be blocked from signing in.

Be careful though: scammers may try to trick you into sharing a code or approving a sign-in.

Never share a security code with someone who contacted you. Never approve a sign-in you did not start.

Step 3: Check recovery options

Your recovery phone number and recovery email help you get back into your account if you lose access.

Make sure they are correct, current, and protected.

If an old phone number or old email address is still attached to your account, it may become a weak point.

Step 4: Review devices and sign-ins

Many email providers let you see where your account is signed in.

Look for devices, locations, apps, or sessions you do not recognise. Sign them out if they are not yours, and change your password if you are concerned.

Step 5: Be careful with connected apps

Some apps and services ask for permission to access your email account.

Only allow access when you trust the app and understand why it needs that access. Remove old apps you no longer use.

Step 6: Watch for signs of compromise

Warning signs may include:

  • Password reset emails you did not request.
  • Sent messages you do not remember sending.
  • Friends saying they received strange messages from you.
  • Missing emails.
  • Email forwarding rules you did not create.
  • Sign-in alerts from unknown devices or locations.
  • Security codes arriving when you are not trying to sign in.

If something looks wrong, act quickly. Change your password, sign out unknown sessions, review recovery options, remove suspicious connected apps, and check whether any other accounts may have been affected.

A simple rule: protect your email first, because it often protects everything else.

Technical notes

For confident users

Technical

Email accounts are high-value targets because they sit at the centre of many account recovery, identity, communication, and payment workflows.

A compromised mailbox can support credential theft, account takeover, password reset abuse, business email compromise, invoice redirection, identity theft, data theft, social engineering, and contact-list phishing.

Email is often the recovery root.

Many services treat control of an email address as proof that a user can reset a password, approve an account change, receive a login link, retrieve a one-time code, or confirm ownership of another account.

This makes email similar to a root account for a person’s digital life. If the attacker controls the inbox, they may be able to discover which services the victim uses and then trigger recovery flows across those services.

Common compromise paths include:

  • Password reuse after a breach.
  • Credential stuffing against popular email providers.
  • Phishing pages that copy email login screens.
  • Malware or infostealers that capture credentials or session cookies.
  • OAuth consent phishing that grants mailbox access without stealing the password.
  • SIM swap or phone account compromise where SMS is used for recovery.
  • Weak or outdated account recovery options.
  • Compromised devices that already hold active sessions.
  • Legacy protocols, app passwords, or mail clients with weaker controls.

Multi-factor authentication helps, but the type matters.

SMS codes are better than no second factor, but they can be affected by SIM swap, phone number takeover, message interception, or social engineering.

App-based codes are generally stronger than SMS, but users can still be tricked into reading a code to an attacker or entering it into a phishing site.

Push approvals can be convenient, but attackers may use repeated prompts or convincing stories to trick a user into approving a sign-in.

Security keys and passkeys can provide stronger phishing resistance because they are tied to the legitimate domain and are harder to reuse on a fake site.

Session security matters too.

Attackers do not always need the password if they can steal or reuse an authenticated session. Infostealer malware, malicious browser extensions, compromised devices, or phishing proxies may attempt to capture session cookies or tokens.

Changing the password is important after compromise, but it may not be enough if existing sessions, OAuth grants, app passwords, or connected devices remain active.

Mailbox rules are a common persistence and concealment technique.

An attacker may create forwarding rules, filters, labels, or deletion rules to hide security alerts, copy messages externally, watch for invoices, or monitor password reset emails.

After a suspected compromise, users should check:

  • Forwarding addresses.
  • Mail filters and rules.
  • Delegated mailbox access.
  • Connected apps and OAuth grants.
  • App passwords.
  • IMAP, POP, or SMTP access.
  • Active sessions and trusted devices.
  • Recovery email addresses and phone numbers.
  • Recent security events.

Recovery settings are part of the attack surface.

A strong password and MFA can be weakened by old recovery email addresses, recycled phone numbers, easy security questions, exposed personal information, or weak support processes.

Account recovery should be reviewed as carefully as the primary login method.

Email compromise also increases scam credibility.

Messages sent from a real account can bypass suspicion because they appear in existing threads, use familiar tone, include real signatures, and may reference genuine previous conversations.

This is especially dangerous for payment redirection. An attacker who can read email may wait for an invoice, property settlement, supplier payment, or other high-value transaction, then insert altered bank details at the right moment.

For businesses and domain owners, email authentication matters.

SPF, DKIM, and DMARC help reduce spoofing of owned domains, but they do not stop every form of impersonation. Attackers can still use lookalike domains, compromised legitimate accounts, display-name impersonation, or personal email accounts.

DMARC alignment and enforcement can improve protection against direct domain spoofing, but users and processes still need to handle compromised accounts and lookalike sender domains.

Useful technical controls include:

  • Unique passwords stored in a password manager.
  • Phishing-resistant MFA where available.
  • Security keys or passkeys for high-value accounts.
  • Sign-in alerts and account activity reviews.
  • Removal of unused connected apps and OAuth grants.
  • Disabling legacy access methods where possible.
  • Reviewing forwarding rules and mailbox filters.
  • Keeping devices and browsers updated.
  • Endpoint protection and browser security controls.
  • Separate admin accounts for business email administration.
  • Strong recovery settings and protected recovery accounts.
  • User education around MFA codes, approval prompts, and fake login pages.

A useful security model is to separate four areas:

  • Authentication: how someone signs in.
  • Recovery: how someone gets back in.
  • Access: which devices, apps, sessions, and integrations can read the mailbox.
  • Impact: what other accounts, payments, documents, and people depend on the mailbox.

Protecting email well means protecting all four areas, not just choosing a stronger password.

If an email account may be compromised, the response should include password change, MFA review, session revocation, recovery review, connected-app review, mailbox-rule review, and checks on other accounts that rely on that email address.

Disclaimer: All content on this website is general in nature and is not in any way advice. While we strive to ensure the accuracy and relevance of the content, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to this website or the information, products, services, or related graphics contained on the website for any purpose. Therefore, any reliance on such information is strictly at your own risk.

In no event will we be liable for any loss or damage, including, without limitation, indirect or consequential loss or damage, or any loss or damage arising from loss of data or profits arising out of, or in connection with, the use of this website. Through this website, you can link to other websites that are not controlled by this website. We have no control over the nature, content, and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.