What can cybercriminals do with my email?
It's not hard to imagine why cybercriminals would be interested in getting their hands on bank passwords or credit card details. Scammers, however, know how to exploit a lot of other information, including some possibly considered public. Email addresses are a good example of this.
According to Cloudflare's "Phishing Threats Report", 90% of successful cyberattacks begin with a simple email message.
A malicious message is most effective when a criminal adds personal information, like a name or the company where the victim works. Unfortunately, email normally already carries clues that help criminals obtain more data.
In corporate emails, the name of the company is often part of the address, which helps criminals locate profiles on professional social networks. The victim's full name and professional and academic history are enough for scammers to craft a personalized phishing scam.
Some services and applications often leak user information. The data from these leaks can be accessed from the email address, which can reveal personal details and vulnerable passwords. At the very least, criminals can learn on which websites the email was registered and use one of them as a pretext to approach the owner of the account in question.
Scams that require nothing more than an email
Phishing: phishing involves sending a message aimed at convincing the victim to do something that is in the criminal's interest. A traditional phishing scam usually includes a link to a cloned page to steal the victim's credentials or links and attachments to contaminate their device with malware.
Advance deposit scam: This scam involves requesting payment in exchange for some future benefit, such as clearing a parcel at customs, releasing money, or paying a fine.
Fake extortion: Fake extortion is an attack whereby a criminal claims to be a cybercriminal in possession of the victim's data (including intimate videos or passwords) and demands a sum of money – often charged in cryptocurrency – in exchange for not to using or releasing the information. Most often, however, they don't have any information at all.
Spoofing: A criminal may attempt to mask the email address in the "sender" field, forging what appears to be a message from a recognized person or institution. Many email providers can detect attempted spoofing and filter out these messages, though they can still confuse some users.
Breaking into email accounts
If a simple email address is considered valuable, the inbox password is even more desirable.
Many applications rely on email to reset a password. Therefore, access to the email inbox opens the door to attackers looking to access all the other services associated with that email, and are then able to reset those passwords.
Additionally, anyone with access to your e-mail address can send messages as if they were you without relying on spoofing techniques. This allows criminals to launch phishing attacks against your contacts.
In the corporate world, a compromised email account can be used to launch a Business Email Compromise (BEC) scam. A criminal could, for example, send a fake invoice to a customer.
How to protect yourself
-
Remember that criminals can gather information from your email, including leaked passwords from other services;
-
Consider using email addresses dedicated to certain tasks, such as one for online registrations and another for purchases;
-
Remember that emails marked as spam are potentially highly dangerous;
-
Use unique and strong passwords combined with two-step verification (2FA/MFA).