We use our email addresses for everything. In fact, 92% of the US uses email as a form of communication.
Having an email address opens you up to the wide world of the internet. Of course, you don’t need an email address to use the internet. If you’re looking to open up accounts or join features of a website, an email address is typically the bare minimum requirement you have to provide.
In a lot of ways, an email address is like having a PO Box. This is a place to send and receive mail without giving away exactly who you are or where you live. Even though email addresses add a layer of anonymity to your online presence, the fact that they’re tied to so many accounts makes them a potential vulnerability.
Your email address is likely tied to many accounts, ranging from social media to banking accounts. Because most people use less than two email addresses on average, there’s a likelihood a compromised account can be detrimental.
Online security becomes extremely important. While you don’t openly share your passwords, your email address may be exposed.
How Can Hackers and Scammers Find Your Email Address?
Hackers and scammers have several ways to find a person’s email address. In many places, your email address may actually be viewable to the public or may have been shared without your permission.
Here are a few ways that a bad actor can find your email address online:
- Data breaches: When websites are compromised, your email may be exposed to hackers and later sold off. It’s not uncommon for websites to have records of you if you’ve provided your email address to make an account.
- Fake newsletters, sign-up forms, or subscriptions: Legitimate websites use form submissions where you provide your email address. A malicious website will pass off as a typical website that offers information of value, but the forms they use to collect your information can be used to create a list of potential targets.
- Dark web markets: The dark web is a place for cybercriminals to buy and sell sensitive information. This can be for the purposes of identity theft or simply selling mass collected data like your email account details.
- Web scraping bots: Scammers and hackers will use a bot that is specially designed to search the internet looking for email addresses. These bots are looking for typical account names that use an “@” along with a common email provider name like Gmail, Outlook, and Yahoo. These email addresses may have been intentionally shared on a website, unintentionally shared as part of your account information, or harvested and listed on a database.
What Can a Scammer Do With My Email Address?
A scammer will use any information they can to use against a person. An email address for a scammer can provide valuable information that can greatly advance their efforts.
With your email account information, they can tap into a larger set of tactics to exploit the information they have to get even more information about you. Like a snowball, the effect can grow until they’ve amassed enough information to carry out an attack.
Here are a few of the methods a scammer will employ:
Phishing
A scammer with your email address could use phishing scams to attack you or someone associated with you. Phishing emails are when someone may reach out to you pretending to be a company, family member, friend, or coworker.
They will have a convincing persona that will make them appear to be the person they claim to be. They may know you and those you associate with, sending you an email asking you for sensitive information. They rely on their target believing their persona and giving up the information they seek.
A person carrying out a phishing attack is relying on their target to be convinced that they’re someone the target knows. By pretending to be that person they will ask for personal information such as a password, a triggered code, or questions about personal details.
Search You
A lot of information can be found by searching your email address in a search engine. Other websites may have already done the hard work in sourcing information about you. There may be an online database that has associated your email address with your home address, phone number, and a list of family members.
This information is how someone can enhance their methods during a phishing attack. You may have an account on a website that has made your email address publicly visible. Or maybe your email address and username are similar, which could expose you to other sites that can help a scammer learn more about you.
Impersonate You (Spoofing)
Spoofing is when a scammer is able to send an email address that appears to be sent from a specific person or company. In reality, they don’t have access to that account but can imitate it. Spoof scams will be used to send their target an email address, expecting them to click a link or take some action to compromise their target’s account.
Spoof attacks have become increasingly common, with some scammers focused on financial institutions. They will pretend to be a bank or credit card company and ask very personal and sensitive questions.
They may ask for your PIN number, full debit or credit card number, or your login credentials. These types of questions would never be asked by your banking or financial companies.
Steal Your Identity
If a scammer successfully gets their victim to interact with their attack, they may be able to steal your identity. This can be because you provided an account password.
The scammer may not even have acquired the email password directly. With some careful questions, they may have gotten their target to provide more personal information, which can lead to the scammer guessing your password.
What Can a Hacker Do With My Email Address?
Unlike scammers, hackers don’t need to interact directly with their target. Most hacks are carried out based on technological knowledge and the information they’ve acquired about their target.
Here are some tactics a hacker can use with just your email address:
Access Your Social Media
Social media accounts are sometimes a treasure trove of information. This information can be from the posts shared by the user or the information stored in messages and the account details.
Hackers can use your email address to get access to your social media, which contain personal information they mine and find more targets. Depending on the social media platform, they may be able to compromise some financial information or make purchases for themselves on your behalf.
Fraud
Hackers generally look for some sort of financial payout with your information. They will look to access your accounts for financial gain, targeting financial accounts.
This may be by directly accessing your bank account or finding your credit card to make purchases. Some hackers will make it harder to trace purchases by going after gift cards which result in quick payments.
Identity Theft
Hackers can gain access to your accounts to find even more details about you. With more information, a hacker can steal your identity. With just your email address and a successful hack of a personal account, they can pass themselves off as you and make more complex financial purchases.
Compromise Accounts of Friends or Family
Your email address can often be associated with family or friends. This can be information found on databases or a compromised account that shows the email addresses of others. A hacker will use your email address to find your known associates to either carry out phishing attacks, compromise those accounts, or execute other social engineering tactics.
Securing Your Email Address
Keeping your email address secure is a fundamental step in your online security; it contains so much personal information, has ties to your financial institutions, and has connections to your family or friends.
Here are some of the simple and effective ways you can keep your email address safe, even if someone knows your email address:
Use Strong Passwords
A strong password can make your email address impenetrable. A strong password is one used for only one account, at least 12 characters long, using a unique combination of characters, and not something associated with you or a dictionary word. Weak passwords are short and contain personal information or basic words.
2FA (Two-Factor Authentication) or MFA (Multi-Factor Authentication)
Two-factor and multi-factor authentication are tried and true methods of keeping your account secure, even if someone has your email and access to your password. Authentication requires the person logging in to prove that they are who they say they are by validating with another, harder-to-access method.
This can be by sending a code via text, phone call, or email. Further authentication can be provided through biometrics like voice authentication, finger scanning, face scanning, or eye scanning. Many modern accounts will enable you to use a form of authentication, whether 2FA or MFA.
Use Trusted Networks
Keep your email and personal information secure by only using trusted networks. Avoid public Wi-Fi use for internet use, as you never know who may be monitoring the network traffic.
A compromised network allows a hacker or scammer to collect information about you. If the use of public Wi-Fi or a new network is unavoidable, a VPN can be an option to help keep your information secure.
Sanitize Social Media Accounts
You may have social media accounts like Instagram, Facebook, or TikTok that contain some seemingly harmless personal information. For instance, your current password may have something to do with your children, a pet, or a date.
These details may exist on a post you shared which a scammer or hacker will be looking for in order to target you and get access to your account. These key details may exist in your password or be answers to challenge questions to prove your identity.
Another source of information could be found in public forums or groups you belong to on the internet. These accounts may have your real name as your username or your username may be associated with your email address.
These breadcrumbs lead back to you with a potential source of information about you. Like with social media accounts, there may have been an unintentional breach of your personal information.
Consider making your social media accounts private instead of public to better protect yourself online. You can hide, delete, or make sensitive posts viewable to trusted friends only, depending on the platform.
Ensure your current friends are people you know, and be wary of any person who adds you out of the blue, especially if it’s an account for someone you know who you’re already friends with on that platform.
What To Do if Your Personal Information Has Been Compromised
If you believe a hacker or scammer has discovered your email address, there are steps you can take to protect your email address. Even if a bad actor doesn’t have your password, someone in possession of your email address can lead to one of the attacks outlined above.
Digital Forensics can help you or your company deal with hackers and scammers who are targeting your email accounts. Our specially trained team of forensic investigators, fraud examiners, former law enforcement officials, and forensic examiners are ready to help you. We have experience with cybercriminals, data breaches, blackmail, online security, and more.
If you’re experiencing online security issues we can help you take back control of the situation. We can investigate your issue, document the issue for legal purposes, and prevent the exposure of your personal information.
For those looking to up their security, we can help identify areas of concern and give you the tools to prevent a future attack.
Sources:
E-mail usage in the United States – Statistics & Facts | Statista
How Many Email Users Are There In 2023? | AOV Up
Business Email Imposters | FTC
Create a strong password & a more secure account | Google Account Help