Ryan Toohil has a BS in Computer Engineering from Virginia Tech and holds multiple patents in the web services domain. As the CTO at Aura, he leads the platform, information security, and corporate IT teams.
Jory MacKay is a writer and award-winning editor with over a decade of experience for online and print publications. He has a bachelor's degree in journalism from the University of Victoria and a passion for helping people identify and avoid fraud.
Your primary email account is a revolving door for personally identifiable and sensitive information.
You use your email to log into video streaming services, for online shopping, and social media. It’s where you receive bank statements and utility bills that display addresses, full names, and even Social Security numbers (SSN). And if you forget a password or need to reset an online account, where do those messages get sent?
Needless to say, your email address serves as a gateway to your online identity. And cybercriminals will prise any sensitive data using your email with discomforting regularity.
So how can you defend your inbox and email account from unwanted (and unlawful) access?
How Does Email Get Hacked?
1. You were tricked by a phishing attack
“Phishing” is when hackers use official-looking or sounding emails, calls, or texts (known as “smishing”) to trick you into giving up your email account details.
Hackers send spam emails claiming to be from a legitimate institution, like a government agency or your bank. These emails and messages copy the same phrasing and logos and use spoofed “From” addresses to look more legitimate.
Phishing scams have two goals.
First, is to get you to scam you online into providing your account details and password. For example, a hacker might send an email pretending to be from Amazon saying someone else is using your account. They’ll include a link to confirm your account details. But when you do, the hacker will get your information.
Second, is to get you to download malware onto your device. Malware gives scammers access to your computer so they can steal sensitive information like your email password.
Always be wary of attachments, links, and QR codes in suspicious emails. If you’re unsure, hover over or click on the “From” name to reveal the true email address. If it’s not a legitimate email or doesn’t match up with who they say they are, delete it and report the scam.
2. You forgot to sign out of a public or shared device
Leaving your accounts logged in on any device that isn’t exclusively yours is a golden opportunity for hackers. For example, if you use a device in the library, at an office, or in a tech store.
Remember, your email account won’t always automatically sign out when you close a browser window. All it takes is a few seconds for a hacker to change your passwords and lock you out of your own account.
You should also beware of any shared devices. If you ask to use a friend’s device to check your email, you could be leaving your account compromised. Always sign-out of your account when you’re done using it.
3. Hackers broke into your Wi-Fi network
You might be surprised to learn that hackers can easily hack your home Wi-Fi network.
Even if you use a password on your account, hackers can gain access through security flaws in your router. Or, they can use a type of cyber attack called a man-in-the-middle attack (MITM) to intercept your connection on public Wi-Fi networks.
In both cases, hackers can see everything you’re doing and steal your login information when you enter it.
A secure VPN can help protect your network from hackers spying on your sensitive information.
🔎 Check the Dark Web for your passwords and data. Use Aura's free Dark Web scanner to see if your accounts have been compromised in a recent data breach.
5. Hackers installed malware on your device
Malware is malicious software that can steal your email login, harm your devices, and more.
Cybercriminals have sophisticated methods for getting you to download malware beyond just clicking a link in a spam email. Some emerging cyber threats to beware of include:
Trojans: This malware comes packaged inside legitimate software and gives hackers backdoor access to your computer. Trojans are commonly used to steal credit card information.
Drive-by-downloads: Hackers take advantage of apps, operating systems, and software that hasn’t been updated to install malware without your permission.
Ransomware: This malware prevents you from accessing data until you pay a fee. Or, hackers will threaten to expose sensitive photos and files (like in the famous celebrity hacks).
Spyware: This type of malware collects information from your computer or even records your keystrokes to capture passwords and login information.
Pharming: This is when hackers create legitimate-looking websites designed to steal your account information. For example, they might copy your email or social media login page and get you to download malware.
Anytime a hacker installs malware, they have the potential to get access to your email, bank account, and more.
Sometimes hackers don’t need sophisticated methods to hack your email.
Some of the most popular passwords are notoriously easy to guess (like “password” or “123456”). While many people use personal information like birthdays or pet names that can easily be found in your online footprint.
If a hacker wants access to your email account, they can use “brute force” software to rapidly guess your password using what they know about you.
For example, let’s say your password is “bluecar68.” You made this because your car is blue, and you were born in 1968. If a potential hacker knows you, they can brute-force that password with ease.
7. You used the same password for multiple accounts
There’s probably a 99% chance that at least one of your old passwords was part of a data breach or is available on the Dark Web. If you reuse passwords across social media and online stores, hackers can try them on your active accounts and get access to your email and more.
Using strong, unique passwords is your first, and sometimes only line of defense against hackers.
You can’t sign into your email account. Hackers will often lock you out of your account as soon as they get access. If your normal email password isn’t working, there’s a good chance you’ve been hacked.
There are strange messages in your “Sent” folder. In other cases, a hacker wants to use your email without alerting you that you’ve been hacked. Look for strange emails in your sent folder that you didn’t send.
You’re getting password reset emails you didn’t ask for. Once a hacker gets access to your inbox they can see which services you use. For example, Facebook email notifications tell them you have a Facebook account. They can then take over your accounts by getting password reset emails sent to your hacked inbox.
Different IP addresses show up on your log. Many email service providers will keep a log of IP addresses that have accessed your account. This will show you the device, browser type, and physical location of who’s accessing your inbox. For example, in Gmail, look for “details” in the bottom right corner of your inbox.
Your social media account has weird posts you didn’t make. Scammers use your email to get access to your social media accounts and use them to run scams. One common example is to take over your Facebook, Snapchat, or Twitter and send messages to your friends asking for account details or money.
Friends and family are getting emails or messages you didn’t send. If you get a friend asking “was this email from you?” that probably means you’ve been hacked. Fraudsters send emails to try and get details or money from your contacts (i.e. phishing emails).
Your device is suddenly slow or acting differently. Hackers commonly install viruses and malware to get access to your inbox. If your device’s performance drops suddenly, you may have been hacked.
Someone set up automatic forwarding to an address you don’t recognize. Check your preferences to see if a hacker has changed your account settings to forward emails to another address. (Think of this as a digital “change of address” scam).
Your account information is available on the Dark Web. Due to the number of data breaches in recent years, there’s a good chance your email address and password is already available to hackers on the Dark Web.
Here's how to check if your email was hacked
You can check to see if your email account password has been compromised with Aura’s Dark Web scanner.
✅ Take action: If your email account has been hacked, your bank, investment, and other online accounts could be at risk. Try Aura’s identity theft protection free for 14 days to secure your identity against scammers.
11 Things You Should Do If Your Email Was Hacked
Regain access to your account. If you can still access your email account, change your passwords immediately to block the hacker. If you’re locked out, you’ll need to work with your email provider to recover your hacked account. Here’s how to recover a hacked Gmail, Yahoo, and Microsoft account.
Scan your device for malware and viruses. There’s no point in changing passwords or setting up security software if hackers still have access to your account. First, use antivirus software to remove any lingering malware or spyware. Aura, for example, can scan, isolate, and remove infected files without throttling device speeds.
Change all your passwords and set up a password manager. Next, change your email password and the password for any other affected accounts. Use strong and unique passwords that include upper- and lowercase letters, symbols, and numbers. Avoid personal information like birthdays and pet names. To help keep track of your new passwords, consider a password manager.
Switch up your email security questions. Change your security questions to something that you can’t find online. Choose to be obscure. Hackers can retrieve a plethora of information about you based on your online footprint.
Enable two- or multi-factor authentication (but not SMS). Add two-factor authentication to your email along with a secure recovery email address. If possible, skip SMS for your authentication codes. Instead, use an authenticator app like Google or Okta as it’s much more secure.
Tell your friends and contacts you’ve been hacked. Alert everyone you know that you’ve been hacked and to beware of suspicious emails. This can feel unpleasant, but it helps protect people you know from follow-on fraud.
Start using a VPN with malware protection. Update your network and device security to block malware and warn you of potential phishing sites. If you're using Aura's VPN, connect to our virtual U.S location to access content from anywhere.
Update your devices and operating system. Hackers use vulnerabilities in outdated software to get access to your device. Regularly install security updates for important software patches and better overall device performance. Updated operating systems can also keep threat actors at bay.
Wait before you start shopping online. An email hack can sometimes mean scammers have access to your device. Wait until you’re malware-free before entering your credit card information on any online shopping site.
Set up credit monitoring. This will alert you of any suspicious activity on your credit report or bank account so you know if hackers have access to them. Contact your credit card company if you notice unauthorized, fraudulent charges on your card. The FTC recommends using this template to draft your credit card dispute.
Report the identity theft and fraud. Email hacking and identity theft are crimes. If you’ve been a victim, report the theft to the FTC at IdentityTheft.gov and file a police report. Include sufficient personal information to prove your identity. While the FTC encourage completing their online identity theft affidavit, they also have a toll-free hotline at 1-877-FTC-HELP.
Once a hacker has access to your email, they can do tons of damage to your identity, credit, and reputation. Here are five alarming ways that hackers take advantage of your hacked email account.
Phish friends and family
Hackers with access to your email also have access to your contact list.
That means everyone you know or have ever emailed could suddenly be the target of a phishing scam or other types of social engineering attacks. And because the hacker is using your email, your family, friends, and other contacts are more likely to open them and even click links.
Threaten to expose sensitive photos and information
Many of us use our emails as file storage or have sensitive information we wouldn’t want leaked. If a hacker gets access to your email, they can find all these files and use them to extort you for money or access to other accounts.
One example of this was the celebrity hacks that leaked private photos of female celebrities along with embarrassing emails from major film studios.
Your email address is part of a very tightly woven web of secure information.
If you use Gmail, Microsoft, or Yahoo, there’s a password manager built into your email provider that hackers can use to find stored passwords.
If you don’t have other cybersecurity measures in place, this now means that a hacker has access to any account with a stored password. For example, your social networking accounts and banking information.
Steal your identity and lock you out of your accounts
Access to your email can often be enough for hackers to commit all different types of identity theft. Remember, your email is like your online ID. Scammers can use it to sign you up for almost anything. Or, they can fake your online persona for other reasons.
This is even worse if your inbox contains emails about tax information or government benefits that include your Social Security number. (Be especially careful with your SSN as it's not always possible to change your Social Security number – even after identity theft.)
Take over your business email and scam your company
In a worst case scenario, a hacker gets access to both your personal and business email. If this happens, they can get access to your corporate network and destroy your professional reputation.
✅ Take action: Protect yourself from the risks of identity theft and fraud with Aura’s $1,000,000 in identity theft insurance. Try Aura free for 14 days to see if it’s right for you.
How To Protect Your Email From Hackers and Scammers
Hackers know the value of your email account. Once they’re in, they can use it to gain access to your bank account, social media profiles, and other sensitive online accounts.
Don’t ignore the signs of a hacked inbox. If anything looks suspicious or you suddenly can’t log in, act fast! The longer hackers have access to your account, the easier it is for them to steal your identity.
Be cautious of any link or attachments (even from friends). They can include links to malware or phishing sites.
Reduce the amount you share online. The less you share, the harder it is for hackers to guess your passwords or security questions.
Regularly check your credit report and bank statements. Scammers are almost always after your financial accounts. Regularly monitor your financial statements for signs of identity theft. This could include strange charges on your bank statement or accounts you don’t recognize. An identity theft protection service likeAura can monitor your credit and statements for you and alert you to any signs of fraud.
Force sign-out of any unfamiliar accounts. Many services you use let you see active account logins worldwide — for example, your phone and laptop. If you see anything you don’t recognize, force all accounts to log out.
Password protect your devices (use biometrics if possible). Fingerprint and facial recognition can stop hackers from getting access to your email account if your device is stolen. However, there's still the possibility of fingerprint identity theft. Make sure you combine biometrics and a password for the best protection.
Don’t ignore updates. Companies include security updates with new versions of their software.
Use strong passwords and a password manager. The harder your password is to hack, the more secure your account. Use a password manager so you don’t have to remember your unique passwords.
And if you're flustered about what to do if your identity is stolen, consider signing up for Aura.
Aura protects you and your family from all aspects of identity theft from hacked emails. With Aura, you get military-grade network and device protection. You also get top-rated credit and identity monitoring to keep your most important accounts safe.