Online Accounts

How Hackers Hack Email Accounts — and How to Protect Yourself

How attackers compromise Gmail, Outlook, and other email accounts — and how to defend.

What attackers want from Email Accounts

Email is the master account that controls almost everything else — password resets for banking, social media, work systems, government services all go through email. Compromise of an email account typically cascades into compromise of every other account associated with that email address. This makes email the single highest-priority account to secure, and the single most-targeted by sophisticated attackers.

The realistic threat for most users includes credential stuffing from breached passwords, phishing campaigns specifically targeting Gmail/Outlook login flows, business email compromise (BEC) for financial fraud, and account-recovery exploitation against weakly-configured accounts. For executives and high-value targets, threat profile expands to include sophisticated targeted attacks (spearphishing crafted specifically for the victim, supply-chain attacks via compromised contacts).

The defences that work are concrete and well-known: hardware security keys for the highest protection, app-based 2FA as minimum, unique strong passwords, regular access audits, and treating email-account compromise as a higher-priority emergency than other account compromises. The recovery from email compromise can be straightforward if you act fast, or weeks of escalating account losses if attacker has time to pivot.

How attackers actually do it

Conceptual attack categories, not exploitation procedures. Understanding these patterns is what lets you recognise and defend against them.

Credential stuffing from breached passwords

Same pattern as social media accounts — attackers test breached credentials from other sites against major email providers (Gmail, Outlook, Yahoo, etc.). Particularly damaging because email account compromise cascades to everything else linked to that email.

Phishing via fake login pages

Sophisticated phishing kits accurately reproduce Gmail/Outlook login flows including 2FA prompts. Modern phishing can intercept session tokens AFTER 2FA — the attacker proxies your real login to Google/Microsoft in real-time, captures the session token at the end. This is why phishing-resistant authentication (hardware keys, passkeys) matters even with 2FA enabled.

Business email compromise (BEC) for fraud

Attackers compromise an executive's email account, then send fraudulent payment instructions from the legitimate account to finance team, vendors, or clients. Highly effective because the email genuinely comes from the executive's real account. Average BEC loss per incident is significant ($150K+ commonly); some incidents reach millions.

OAuth abuse via malicious apps

Users grant third-party apps OAuth access to their email (read messages, send messages). Malicious or later-compromised apps abuse this access — read sensitive content, send phishing from your account, exfiltrate contacts. "Email organiser", "calendar integration", and "productivity tools" are common categories for this abuse.

Recovery flow exploitation

Email accounts have multiple recovery options — backup email, phone, security questions, recovery codes. Attackers with partial information about a victim drive the recovery flow to gain account access. Old accounts with weak recovery setups (only security questions, no backup phone, etc.) are particularly vulnerable.

Reply-chain hijacking after partial compromise

Attackers who have access to ANY email account in a conversation thread can insert themselves into ongoing legitimate conversations — replying with fraudulent payment instructions, malicious attachments, or further phishing. The conversation context makes targets less suspicious of unusual messages.

Forwarding rule attacks for persistence

After initial compromise, attackers commonly set up email forwarding rules sending copies of all incoming mail to attacker-controlled addresses. Even after victim recovers the account, forwarding rule continues — attacker maintains visibility into all mail. Specifically check forwarding rules during incident response.

How to recognise compromise

Signs that your email accounts may have been compromised:

Login alerts from unfamiliar locations

Gmail, Outlook, and other major providers send alerts for new-device logins. Receiving these for logins you did not make is a strong signal of credential compromise. Investigate even if "could be" your own legitimate device.

Sent mail you did not send

Attackers using your account for phishing leave evidence in your Sent folder (unless they delete it). Check Sent folder periodically; investigate anything you do not recognise. Smart attackers delete evidence; check trash too.

Unexpected forwarding rules or filters

Compromised email accounts commonly have forwarding rules added — copies of incoming mail sent to attacker addresses. Check Settings → Forwarding (Gmail) or Rules (Outlook) for entries you did not create.

Password change confirmations you did not request

When attackers change your email password, the provider emails confirmation. If you receive password-change confirmation emails for changes you did not make, account is compromised. Acting on this within minutes vs hours can be the difference between minimal vs catastrophic incident.

Other accounts hijacked despite their having strong protection

Pattern of multiple non-email accounts being compromised in short time often indicates email compromise (attacker is using email access to drive password resets on other services). If one of your accounts is hijacked, check email security urgently as a possible root cause.

Unusual entries in account activity logs

Gmail (Last Account Activity, bottom of inbox) and Outlook (Account Activity) show recent logins. Review periodically; investigate anything unfamiliar.

What actually protects you

Concrete actions ranked by impact. Items marked critical are the highest-leverage protections; do those first.

Use hardware security keys (YubiKey, Titan, Solo) for the highest protection

Hardware security keys are phishing-resistant — they only work for the legitimate site, defeating real-time proxy phishing that bypasses code-based 2FA. Cost is $25-50 per key; recommend two keys (one primary, one backup). For Gmail use Google Advanced Protection Program. For Microsoft, Security Defaults plus security keys. Single highest-leverage email security investment.

If hardware keys not feasible, app-based 2FA (NOT SMS)

App-based 2FA (Google Authenticator, Microsoft Authenticator, Authy) for email account is minimum viable protection. SMS-based 2FA is vulnerable to SIM swap attacks; phone-call 2FA same issue. Authenticator app codes generated on your device, no SMS dependency.

Unique strong password — most important password you have

Email account password should be the strongest, most unique password in your password manager. Reusing this password anywhere else, or having it weak, undermines all your other account security.

Audit and revoke OAuth third-party app access

Gmail: Settings → Accounts → Manage your Google Account → Security → Third-party apps with account access. Outlook: similar in Microsoft account settings. Revoke anything you do not actively use. Old "email organiser" or "calendar tool" connections accumulate over years; each represents potential attack vector.

Set up multiple recovery options properly

Recovery email (different from primary), recovery phone, backup codes (printed and stored offline). Strong recovery setup makes legitimate recovery easier; weak setup makes attacker-driven recovery exploitation possible.

Check forwarding rules and filters quarterly

Even on healthy accounts, periodically verify no unauthorised forwarding rules or filters exist. Forwarding rules survive password changes and 2FA enabling — they are persistent access mechanisms attackers use specifically because they survive recovery.

Consider Google Advanced Protection or Microsoft Security Defaults

Google Advanced Protection Program (free) requires hardware security keys, restricts app permissions, blocks third-party app access by default. Microsoft Security Defaults (free with Microsoft 365) enforces 2FA. Both significantly raise security baseline; worth enabling for personal email even if some convenience cost.

Use a separate email for high-stakes accounts

Consider a dedicated email address (different from your main address) for banking, government services, and other high-value accounts. Reduces blast radius — main email compromise does not directly compromise these accounts. Common pattern: main email for general use, dedicated email for financial/government, dedicated email for account signups (reduces spam and breach exposure).

Be sceptical of urgency in any email requesting action

Phishing exploits urgency ("your account will be deleted", "verify within 24 hours", "wire this payment immediately"). Legitimate organisations rarely have genuine urgency requiring you to act on an email link. When in doubt: open the service directly via its known URL, not via the email link.

🚨 If You've Been Compromised

Recovery steps in priority order

Move FAST. Email compromise is the highest-priority account incident because of cascading impact. Hours matter for limiting damage.
Use the email provider's account recovery flow immediately. Gmail: accounts.google.com/signin/recovery. Outlook: account.live.com/acsr. Use the strongest verification method you have configured.
Once recovered: change password to something new and strong, enable hardware key 2FA (or app-based 2FA if hardware keys not yet available), revoke all OAuth app access, log out all sessions.
CHECK FOR FORWARDING RULES AND FILTERS. Often-missed step. Attackers add forwarding rules during compromise; rules survive password changes. Manually inspect all forwarding settings, mail rules, and filters; remove anything unfamiliar.
Audit ALL accounts associated with this email address. Every service where this email is the login or recovery email. Check for unauthorised access; change passwords; review recent activity. Bank accounts and crypto wallets first, then social media, then everything else.
Notify financial institutions of the compromise. If banking emails went through this address, banks should know — fraud monitoring may catch attempted fraud they would otherwise have missed.
For business accounts: notify finance team and key vendors/clients about possible BEC. Establish out-of-band verification (phone confirmation) for any payment requests during the period of compromise. Some BEC fraud only manifests days/weeks after initial compromise.
File reports if financial loss occurred. IC3.gov in US, Action Fraud UK, equivalent in other countries. For BEC specifically, FBI BEC reporting (US) and similar national channels elsewhere have specialised resources.
Consider professional incident response support for severe cases. If business-critical email was compromised with significant financial impact or sensitive data exposure, professional IR firms can help with comprehensive recovery, evidence preservation, and post-incident hardening.

👥 For Organisations & Defenders

Enterprise email security and BEC prevention

For organisations, email security is foundational — most successful breaches involve email at some stage. Foundational technical controls: enforce hardware security keys for all users with access to sensitive systems (executives, finance, IT admins minimum), Microsoft 365 Security Defaults or Google Workspace Advanced Protection enabled, conditional access policies restricting login locations and device types, mail security gateway (Proofpoint, Mimecast, Microsoft Defender) for advanced phishing detection.

BEC-specific controls: out-of-band verification required for any payment changes or wire requests (call known phone number, not number in the email — attackers control email but not phone), explicit policies that finance team will not action payment requests received only via email without secondary verification, training on BEC patterns including "executive impersonation" and "vendor email compromise" scenarios, simulated phishing exercises to maintain awareness. The financial impact of single BEC incidents commonly exceeds the cost of years of security investment; the controls more than pay for themselves.

Detection and response capabilities: SIEM with email-related detections (impossible-travel logins, unusual forwarding rule creation, mass mail send patterns from individual users), incident response runbook specifically for email account compromise, periodic table-top exercises on BEC scenarios. The post-incident impact of BEC is significant in terms of financial loss, reputational damage, and regulatory exposure (especially for regulated industries); investment in prevention is well-justified.

Frequently Asked Questions

Email is the master account — password resets for almost every other service go through email. Compromise of email cascades to compromise of every account using that email for password reset. The practical security of your bank, social media, work systems, and government accounts ultimately depends on email account security.

SMS 2FA: codes via text message. Vulnerable to SIM swap attacks. App-based 2FA: codes generated by authenticator app on your device. Not vulnerable to SIM swap; vulnerable to real-time phishing that proxies the code. Hardware key 2FA: physical security key (YubiKey etc) that cryptographically signs the login. Phishing-resistant; not vulnerable to either SIM swap or proxy phishing. Hardware keys are the gold standard for high-value accounts like email.

Direct account login is blocked by 2FA. However, attackers can: read messages via OAuth-granted apps (if you authorised malicious apps), read backup data if cloud backups are not E2E encrypted (most email backups are not), read messages via spyware on your device, intercept email in transit if your provider does not enforce TLS (rare in 2026 but possible). Comprehensive email security requires all these layers.

Both are reasonably secure with proper configuration. Gmail has Google Advanced Protection Program for the highest-protection tier. Outlook integrates with Microsoft Security Defaults and Conditional Access for enterprise scenarios. Either can be secured well; either can be vulnerable if poorly configured. Configuration matters more than provider choice.

Attackers compromise an executive or finance team email account, then send fraudulent payment instructions from the legitimate account to finance team, vendors, or clients. Highly effective because the email genuinely comes from a real account. Major financial fraud category — billions in annual losses globally. Defence requires both account security AND out-of-band verification policies for any payment changes.

Yes, with one nuance: your password manager's master password and your email password should be different (so one compromise does not cascade). Use the password manager to generate and store a unique strong email password; memorise the password manager master password separately. The "email is master account" pattern means email password security is paramount.

Sign-in activity logs (Gmail: Last Account Activity link at bottom of inbox; Outlook: Account Activity in security settings). Forwarding rules and filters — attacker artifacts often persist there. Sent folder for messages you did not send. Receive password-change confirmation emails you did not request. HaveIBeenPwned.com for whether your address appears in known breaches.

OAuth is the framework for granting third-party apps access to your email without sharing your password. Apps request specific permissions (read mail, send mail, manage labels, etc.) which you approve. Malicious or later-compromised apps abuse these grants. Periodic audit of OAuth app access is essential — old grants accumulate and represent attack surface.

Often yes, for blast-radius management. Common pattern: main email for general use and personal contact, dedicated email for banking and government accounts (reduces exposure), dedicated email for shopping and online signups (catches breach exposure separately, easier to filter spam). The cost is moderate (managing multiple inboxes); the security benefit is meaningful.

Immediately — within minutes if possible. Email compromise enables cascading attacks on every account associated with that email. Each hour gives attacker time to drive password resets on other accounts. Email compromise is the single highest-priority account incident; treat it accordingly.