What Can I Do With Your Email Account?

Email_thumb2There are many online accounts that would be bad to lose control of, such as your Amazon, eBay, PayPal, or bank account.  But by the far the worst account to lose is your email account.  If I can trick you into giving me your email user ID and password, by using a phishing email, or phone pretext call, I will be in.  I can start off by simply observing, as I read your emails, both sent and received, I can get to know you at a very detailed level. You will introduce me to the people in your life, your family, friends, employer, customers.  I can read your calendar, and collect your contacts.  I will be able to find out where you bank, where you shop, when you travel and where, who your wireless carrier is, what your interests are, and eventually, many of your other online accounts.  I can even figure out when you are likely to be online, and when you are inactive.  Once I have learned everything I can, I am ready to attack.

If I control your email account, I can use it to ask for password resets at all of your other accounts. I can contact your wireless carrier and redirect your calls and texts to another phone.  I can log into your financial accounts and transfer the money elsewhere.  I can change the shipping address on your shopping accounts and run up a fortune in charges for high end goods that I later resell.  I can use your eBay account to sell expensive merchandise I do not even have, collect the auction proceeds from your PayPal account, and leave you holding the bag when angry buyers complain about being defrauded.  I can contact your friends and family with pleas for cash and loans.  If you have pictures or documents saved on OneDrive, DropBox, or Google Docs I can access them, make copies that I can save, and then delete your files if I want.

Of course, I can use it to send spam, or phishing emails like the one that tricked you to all your contacts, and extend my reach.  I can use your email to set up accounts at adult sites, or criminal sites, or new fake accounts at other sites

I can actually sell access to your accounts to other cyber-criminals.  According to Brian Krebs, these are average values:

  • iTunes account – $8
  • Fedex, Continental, United – $6
  • Groupon – $5
  • GoDaddy and other registrars and web hosts – $4
  • ATT, Verizon, TMobile, and Sprint wireless accounts – $4
  • FaceBook, Twitter – $2.50
  • Dell, Walmart, Best Buy, Target – $1 to $3

I’m not making this stuff up just to scare you into doing something.  You really need to protect your email account as if it were golden, because to some attackers, it is.

  • Use your longest and most complex password for this account.
  • Turn on two-factor authentication, which is available on Gmail, Yahoo, and Outlook.com/Hotmail accounts, as well as many others.
  • Set up your security questions and pick ones that can’t be answered with a web search, like birth dates, anniversaries, and mother’s maiden name.
  • Set up a back up email account.
  • Set up cell phone notification options.
  • Never let your browser “remember” your password to make it easy to log into your email account.

Following this advice is not a guarantee that bad things won’t happen to you, but it will sure improve the odds.  May the odds be ever in your favor.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.