Can Someone Scam You With Just Your Email Address?
It’s easier than ever for scammers to get your email address. Data breaches — which occur when criminals hack into company databases and then leak billions of emails, names, and Social Security numbers online — have increased by almost 15% from Q2 to Q3 of 2022 [*].
But is it actually dangerous if a scammer has your email address? Potentially, yes.
Spam, scam, and phishing emails are more than just annoyances. As fraudsters become more sophisticated, they are able to design scam emails that you can’t help but fall for because they seem so real.
According to the FBI, email scams are the most expensive type of cybercrime [*], costing Americans billions of dollars in losses.
By now, it’s almost guaranteed that scammers have your email address. So what can you do to protect yourself and your family?
In this guide, we’ll explain the dangers of hackers having your email address, how they get it in the first place, what you can do to avoid email scams, and ways to safeguard your inbox against fraudsters.
What Can Scammers Do With Your Email Address?
You probably don’t think twice about giving your email address to a social media site, online bank, or eCommerce store. But the ease with which you use and give out your email address makes it a prime target for scammers.
With just your email address, scammers can:
- Target you with sophisticated phishing emails.
- Find more sensitive information about you — including where you live.
- Attempt to hack into your other online accounts.
- Impersonate you and scam your friends and family.
- Steal your identity and commit financial fraud.
Fraudsters know that your email address is at the core of your digital identity. Your inbox is home to everything from bills to passwords, login information, sensitive data, photos, and videos.
Worse, even if you do everything you can to protect your email address from scammers, they have numerous methods for finding it.
Here are some of the ways that scammers can get your email:
- A data breach exposed it. Data thieves target every industry. There were major data breaches at Facebook, Amazon, T-Mobile, Robinhood, and Volkswagen-Audi just last year. In a recent data breach, the personal information for 700 million LinkedIn users went for sale online — including names, phone numbers, and email addresses [*].
- They found it on your social media account. Many social media sites require you to post your email address. Sites like Facebook and LinkedIn provide scammers easy access to your email.
- They bought it from a data broker. These companies collect and sell information about you to telemarketers and scammers. (Safety tip: Aura’s digital security solution can automatically remove you from data broker lists.)
- You gave it up accidentally through a phishing attack. Hackers create fake websites designed to trick you into giving them your email address.
- They used “email harvesting” bots. Harvesting emails is a fast way to get email addresses. Using a bot, cybercriminals search the internet for emails with "@" symbols. Harvesters can gather thousands of names and emails in seconds.
The Truth: Can Someone Steal Your Identity With Just Your Email Address?
The good news is that you’re not immediately in danger of identity theft if scammers have your email address. But you're still far from being completely safe.
Your email is the starting point for many identity thieves.
For example, criminals can send you phishing emails to get the passwords to your email, bank, or other online accounts. Any of these accounts can offer scammers access to all of the information they need to steal your identity, including:
- Invoices or receipts displaying your name, address, and phone number.
- Banking information, credit card numbers, and other details that could lead to financial fraud.
- Sensitive photos that you’ve exchanged with others.
- Personally identifiable information (PII), such as your Social Security number (SSN).
- Passport numbers or ID numbers.
The 10 Worst Ways Hackers Use Your Email Against You
- Target you with sophisticated spear phishing emails
- Harvest information to run social engineering attacks
- “Spoof” your email and impersonate you
- Access your email and take over your other accounts
- Find information about you from leaks in data breaches
- Scam your friends, family, and contacts
- Find your financial information and steal your money
- Blackmail you with sensitive information or photos
- Steal your identity
- Gain access to your company’s email
If hackers have your email, they can run all types of scams against you. Here are some of the worst ways that a scammer can use your email address:
1. Target you with sophisticated spear phishing emails
Phishing attacks occur when criminals send emails impersonating people or popular organizations. The goal of these emails is to try and get you to reply with sensitive information, click on malicious links, or download malware-laden attachments.
Nearly 80% of people experienced a phishing attack in 2021, a 46% increase from 2020 [*].
But even more dangerous is spear phishing.
While a regular phishing attack uses vague templates in the hope that you’ll click on a link, a spear phishing attack is tailored specifically to you. For example, scammers will use your name, account numbers, recent purchases, job information, or other data to trick you into giving them what they want.
As more of your personal information is made available online, spear phishing becomes a greater danger.
Here’s how the scam works:
- The scammers research the services or businesses that you typically use (like Netflix or your bank).
- Then, they create emails that look like they came from that business or individual. They'll even use the same (or similar) email address, design, and logo, etc.
- The email will use urgent language and personal information to get you to click on a link, download an attachment, or respond with sensitive information. For example, they may tell you that your password has been compromised and that you need to "verify" it.
- By giving them your information or downloading the attachment, they can access online accounts and steal your money, impersonate you, or steal your identity.
How to identify (and avoid) phishing emails:
- Check the “from” email address to make sure it uses the official domain of the company it’s claiming to be from (for example, “email-address@Walmart.com”) .
- Never click on links or download attachments in emails that you didn’t request.
- Look for signs of fraud, such as the sender asking for your password and personal information — as well as poor-quality logos and design, or grammatical and spelling errors.
📚 Related: How To Tell If An Email is From a Scammer →
2. Find out more information about you to run social engineering attacks
Your email address is linked to almost every online account you’ve created, comments you’ve posted, and information you’ve shared. With just your email address, hackers can learn enough about you to run sophisticated social engineering attacks.
Social engineering refers to “human hacking” — a tactic in which criminals use psychology to create a sense of fear or excitement to steal your identity or commit fraud. Cybersecurity experts say 98% of cybercriminals use social engineering techniques to manipulate unknowing victims [*].
Here’s how the scam works:
- Scammers identify high-value targets — people with data, access, or money that they want.
- Using their target’s email address, they learn more about them — such as where they work, what they “like” on social media, and other things that can be found from the victim’s online footprint.
- Scammers use this information to contact you through different mediums — email, phone, social media, dating sites, etc. — and try to emotionally manipulate you.
How to identify (and avoid) social engineering attacks:
- Carefully check suspicious emails for mistakes in the name, address, and copy. Check for misspellings or elements that are slightly off, such as an email sender address like “mMmike@example.com.”
- Verify someone's identity if you don’t know them personally. Search for their name online, or do a reverse image search of their photo to see if it matches the name and information they gave you.
- Slow down, step back, and check your judgment if you find yourself getting emotionally involved with an unknown person online.
3. “Spoof” your email and impersonate you
Scammers “spoof” email addresses (i.e., hide their true identity) to bypass spam filters and trick you into thinking the sender is someone they’re not. But scammers can also spoof your email address to scam your friends, family, and colleagues.
For example, scammers often target companies with Business Email Compromise (BEC). In these scams, they’ll contact your employer pretending to be you and ask for sensitive information, logins, or money.
Most people don't double-check the headers or “from” addresses of the emails they receive. This means the target won’t spot the mistake and will think the email is actually from you.
Here’s how the scam works:
- Scammers create a fake email address that looks like your address. The changes are usually small. For example, they may add a period at the end or change a letter to a similar-looking number (such as a “1” for a lower-case “l”).
- Then, they use that email to scam your contacts. The messages will ask for favors, money transfers through services like Cash App and Zelle, or sensitive information.
How to prevent email spoofing attacks:
Email spoofing occurs because some email servers don’t have ways to authenticate a sender before a message is delivered. Attackers look for weak servers to send spoofed emails. A lack of authentication makes it easier for spam to pass through.
As a result, spoofing attacks are hard to stop. However, there are ways you can prevent them:
- Whenever you sign up for blogs or sites (i.e., subscriptions, newsletters, shopping platforms, etc.) use a secondary email account. By doing this, your private email address won't be sold or breached. You can open a free, secondary email account with Gmail, Outlook, ProtonMail, and Yahoo! Make sure your email address doesn’t include any identifying information, like your name or birthday.
- Do not post your personal email address on social media. This is guaranteed to be found by scammers and marketers.
- Set up a Sender Policy Framework (SPF) to prevent spoofing. An SPF lists valid IP addresses for sending emails from a specific domain. This prevents attackers from sending spoofed messages on behalf of your company.
📚 Related: How To Protect Your Personal Information on Social Media →
4. Access your email and take over your other accounts
One of the major risks of scammers having your email address is that they’ll use it to hack into your other online accounts. With your email address, they can request password resets, try entering your other passwords that have been leaked online, and even break into your email account.
Here’s how the scam works:
- Scammers find your leaked passwords on the Dark Web.
- Then, they use software to automatically try those passwords (and your email) on other platforms and websites. If you use the same password for multiple accounts, they can break in.
- If not, they can still request a password reset from the site and change your password.
How to protect your email and other online accounts:
- Use an authenticator app to set up two-factor authentication (2FA). 2FA is an additional security measure that requires a special code along with your account passwords. So, even if scammers have access to your email and passwords, they will not be able to access your other accounts.
- Manage your passwords with a password manager. This tool stores all of your passwords for you, so you can use complex and unique passwords without worrying about having to remember them. Aura’s password manager can even warn you if your accounts have been compromised in a data breach.
5. Find more information about you from leaks in data breaches
With the increase in major data breaches occurring in recent years, there’s no doubt that your personal information has been compromised.
Scammers use your email address to search through data breach information on the Dark Web to see what other information they can find about you.
Using your email address, scammers can potentially find:
- Names and birthplaces
- National ID numbers
- Payment card information
- Phone numbers
- Medical records
- Police reports
Here’s how the scam works:
- Scammers search your email address online and on the Dark Web to find breaches in which your personal data has been compromised. They can even use free services like HaveIBeenPwned to search online databases for your information.
- Once they know which data breaches have affected you, they can buy that information off the Dark Web for as little as $1 [*].
- The more information they have, the easier it is for scammers to steal your identity and commit fraud.
How to protect yourself from data breaches:
- Follow the latest digital security tips — including using antivirus software to block malware and spyware on your computer, avoiding phishing attacks, and monitoring your finances with a credit protection service.
Protect your identity, finances, and devices with Aura. Aura offers a proactive all-in-one digital security solution that monitors and protects your online accounts, financial accounts, and devices against scammers. Start a free 14-day trial of Aura today →
6. Scam your friends, family, and contacts
Scammers may even “spoof” your email address to scam your friends, family, and colleagues. They’ll impersonate you and request money, access to documents and networks, or sensitive information.
Here’s how the scam works:
- Scammers impersonate you by creating an email address that looks similar to yours.
- Then, they search your contact lists and social media accounts to find suitable targets — i.e., your grandmother or an old friend who might not check to make sure it’s actually you who is writing to them.
- Scammers often pretend to be in danger — such as needing money for a lawyer or to get out of jail — and beg their victims not to reach out to anyone else.
How to avoid scammers targeting your contacts:
- If your email has been hacked or compromised, tell your friends and family immediately. Instruct them not to respond to any emails from you.
- Don’t store information about family members or friends in your inbox.
📚 Related: How to Recover After Your Identity Is Stolen (2022 Guide) →
7. Find your financial information and steal your money
Scammers can use your email to run phishing scams or hack into your bank accounts and steal your money. December 2022 data from the Federal Trade Commission (FTC) found that the median reported loss due to fraud was $800 for adults over 70 [*].
Here’s how the scam works:
- A hacker gets your email address through a data breach or buys it from a data broker.
- Then, they use phishing emails or text messages to lure you into giving them your banking details and password. For example, they might send a fake fraud alert email from your bank that takes you to a phishing website. When you enter your bank account information, it goes straight to the scammer.
- Once they gain access, they’ll reset your password to lock you out and then open new accounts, credit cards, or loans in your name.
How to protect your financial information:
- Create long, strong, and unique passwords for all your financial accounts. Store them in a password manager.
- Enable multi-factor authentication (MFA) to reinforce your bank account security.
- Sign up for a credit monitoring service. Aura constantly monitors your bank, credit card, and investment accounts for signs of fraud. If we see anything suspicious, you’ll be alerted in near-real time.
8. Blackmail you with sensitive information or photos
Scammers may also use your email address to find sensitive information or photos that you don’t want people to see. They use this to blackmail you into sending them money or giving them even more sensitive information.
This has happened in many celebrity email hacks when private photos of celebrities and embarrassing emails from major studios were leaked.
Here’s how the scam works:
- Scammers hack your email account or trick you into installing malware on your operating system (such as a Trojan virus) that gives them access to your files, video camera, and microphone.
- Then, they look for ways to blackmail you by searching your files or spying on you.
- Once they’ve collected enough information, they send an email threatening you to pay ransom, or else they’ll release all of your private information to friends, family, and colleagues.
How to identify and avoid online blackmail:
- Make sure you have 2FA enabled on your email accounts. For added security, use an authenticator app rather than SMS for your 2FA codes.
- Protect your devices with digital security software such as Aura’s antivirus and virtual private network (VPN).
- If you receive a blackmail email, don’t reply to the email or pay the ransom. Often, the scammers don’t have anything and are just trying to intimidate you.
- Report blackmail emails and fraud to the FTC at ReportFraud.com.
📚 Related: How To Prevent Phishing Attacks [15 Easy Tips] →
9. Steal your identity
In many cases, scammers can use your email address to find enough information about you to steal your identity.
- Here’s how the scam works:
- Thieves collect your personal information through a combination of data breaches, hacking, fraud, physical theft, or phishing scams.
- Then, they use the personal data collected to open up new credit accounts, file fraudulent tax returns, commit insurance fraud, acquire identity-related documents, and more.
- Thieves can also sell your personal data on the black market for a profit.
How to identify and prevent identity theft:
- Follow the steps in our guide on how to protect yourself against identity theft.
- Safeguard your physical IDs, wallet, and mail. Shred sensitive documents before throwing them away.
- Avoid using public Wi-Fi as it can easily be hacked. For added protection, use a virtual private network (VPN) to hide your data from hackers.
- Consider signing up for an identity theft protection service. Aura safeguards your entire family against identity theft, fraud, and hackers. Aura also offers 24/7 access to skilled fraud resolution specialists who can walk you through the remediation process if you are a victim of fraud. And every adult member on an Aura plan is covered by $1,000,000 in insurance for eligible losses due to identity theft.
📚 Related: How To Know If Your Identity Has Been Stolen →
10. Gain access to your company’s email and scam your colleagues
In a worst case scenario, fraudsters hack into both your personal and business email. If this happens, they can access your corporate network and destroy your professional image.
This type of cyberattack is known as Business Email Compromise (BEC). According to Verizon’s 2022 Data Breach Investigation Report (DBIR), 41% of all BECs involved phishing [*].
Here’s how the scam works:
There are many different types of BEC including email impersonation, spoofing, and account takeovers. But in general, BEC scams work like this:
- The attackers take over or impersonate the account of a genuine business, often posing as an executive. They typically want money, unauthorized access, or data. They gather information about the executive’s contacts, writing style, and personal data.
- The attackers send an email to an employee with an urgent request. This could be to pay an invoice or give login credentials to an account.
- The employee fulfills the request, and the scammer takes off with their money or sensitive information. Or, the scammer continues the hack and downloads massive stores of sensitive data.
How to identify and avoid BEC scams:
- Avoid web-based email accounts for your business. Make sure that employees know how to identify a phishing email and whom to contact if they receive suspicious messages.
- Do not open any emails from unknown parties. Also, double-check the sender’s email address for misspellings and spoofed addresses.
- Always verify the identity of the person you’re emailing before sending money or data.
Does a Scammer Have Your Email Address? Here’s What To Do
- Update your online passwords and security questions for your email, banking, social networking accounts, and more. Also, enable 2FA on all of your accounts.
- Report scam emails to your email provider or the company the scammer is impersonating. Make sure you don’t open these emails, as this can give fraudsters information about you — such as your IP address.
- Customize your email spam filters to block even more potential phishing emails. Here’s how to customize your spam filters in Gmail, Outlook, AOL, Yahoo!, and iCloud.
- Request that data brokers remove your information (or let Aura do it for you).
- Warn your friends and family that your email may be compromised. Tell them to contact you directly if they receive strange emails or messages from “you.”
- Protect your other accounts against hacking by using strong passwords. Be especially vigilant if you’re receiving password reset emails from other accounts that you don’t recognize.
- Scan the Dark Web for your personal information. Update any compromised accounts or information.
- Freeze your credit with all three major credit bureaus (Experian, TransUnion, and Equifax). This will stop scammers from opening new accounts or taking out loans in your name.
- Stay safe by learning how to spot the warning signs of a phishing email.
📚 Related: Has Your Gmail Been Hacked? Here's How To Secure Your Account →
How To Protect Your Inbox From Scammers and Spammers
It’s become second nature to share our email addresses with people, businesses, and organizations. But if your email address ends up in the wrong hands, you could easily become a victim of identity theft, account takeovers, or financial fraud.
Here are some ways to protect your inbox from bad actors:
Be selective about whom you give your email address to
- Only give your email address to credible and legitimate organizations.
- Verify an unknown person's identity before giving them your email address.
- Only give your personal email address to close friends and family.
- Don’t write your email address on a paper email sign-up list.
- Make sure any websites to which you provide your email address are secure and reliable.
Use a different (and private) email account for family and sensitive accounts
- Create a separate email account to use with friends and sensitive accounts, such as for government benefits.
- Make a throwaway account to use for shopping sites and newsletters.
Update your email passwords so that they are unique, complex, and secure
- Get a password manager, and download its browser plug-in to ensure that you have easy access to all of your passwords.
- Make a list of your most important online accounts and prioritize which to change passwords on first. For example, your bank account login would be a top priority.
- Change every password to a strong 16-character password using a combination of numbers, symbols, and both uppercase and lowercase letters.
Enable 2FA on all your accounts
- Make a list of all your online accounts and learn which ones offer 2FA or MFA. You can use the 2FA Directory to find out which websites and services utilize this important layer of account authentication to help keep users safe.
- Get the Google Authenticator app or a similar tool. An authenticator app is more secure (than SMS) for 2FA as scammers can take over your phone number using a scam called SIM swapping.
Never click on links or download attachments
- Get an email client that filters spam and alerts you if it suspects spam.
- Do not open potentially dangerous emails. Delete them immediately.
- Report scam emails to the FTC.
Consider signing up for an all-in-one digital security service
With Aura, you get:
- Financial fraud protection. Aura monitors your credit and bank accounts in near-real time and alerts you of fraud 4X faster than the competition.
- Instant credit lock. Lock and unlock your Experian credit file with one click from your desktop or mobile app.
- Identity theft protection. Aura can alert you if an online account has been compromised, will monitor your SSN for signs of fraud, and can even reduce the amount of spam calls and emails that you receive.
- Device and Wi-Fi protection for all your devices. Keep your computer, phone, and home network safe from hackers with powerful antivirus software and a military-grade Virtual Private Network (VPN).
- Family identity theft monitoring for up to five people including children and adults.
- $1,000,000 in insurance coverage for eligible losses due to identity theft. If the worst happens, Aura will be there to help you through the needed steps to secure your identity and get back on your feet.
The Bottom Line: Keep Your Email Safe From Scammers
Your email address is the key to your digital life. Keep it safe and secure — and be cautious of any suspicious emails you receive.
If you accidentally gave out your email address, Aura can help you set up identity theft and credit protection, and scan the web for misuse. If a scammer tries to take over your account, open new credit cards in your name, or hack your devices with malware, Aura will alert you and help you shut them down.