Emerging Threats

Data breach: Could your email account be compromised?

Data breaches can seem like they have become a constant threat. Cybercriminals can try to steal not only your financial and personal information, but your passwords, too.

This means a cyberthief could take control of your email accounts, using them to send out fraudulent messages to your contacts or to steal any personal or financial information you’ve sent in past email messages.

The sobering fact? It’s impossible to protect yourself completely from data breaches, even if your computer and connected devices are protected by the latest antivirus software and even if you don’t fall for phishing scams. Hackers continue to look for new ways to steal victims’ credit card numbers, bank account information, passwords and usernames.

But while you can’t guarantee complete safety against your information being exposed in a data breach, you can take steps to protect your personal email accounts and their passwords. And the best news? Doing this relies mostly on common-sense strategies and antivirus software that is easy to find, run and install.

What is a data breach?

RiskBased Security, in its 2019 Midyear Data Breach report, said 2019 is on pace to see the greatest number of data breaches in history. The company reported that there had been 3,813 data breaches reported through June 30, 2019, breaches that exposed more than 4.1 billion financial and personal records.

If that seems like a lot, it is. The number of reported breaches is up 54 percent when compared to the same period during 2018, according to RiskBased Security.

Why are data breaches so common? They’re profitable for cybercriminals. Hackers can steal the personal information of consumers, including their bank account or credit card information. They can even attempt to steal passwords, including the ones you might use to log into your email accounts, such as those offered by Google, Microsoft, and Yahoo. If successful, this gives hackers access to information they can use to make fraudulent credit card purchases, gain access to consumers’ bank accounts and even open new accounts in the names of their victims.

In the biggest data breaches, the personal and financial information of millions of consumers can be suddenly exposed, leaving these consumers vulnerable to identity theft, financial fraud, and other attacks for months, or even years, to come.

Recent data breaches and what they could mean for your email account

Don't think that data breaches won’t affect you. If you believe you're safe, just check out the headlines.

For instance, Choice Hotels, the parent company of hotel brands such as Clarion, EconoLodge, Quality Inn, and Comfort Inn, was in the summer of 2019 hit by a data breach.

According to cybersecurity firm Comparitech, which discovered the database breach, hackers stole personal information from 700,000 customer accounts. Anyone who stayed at a Choice Hotel before the breach may be at risk.

The information that hackers accessed? Names, phone numbers, and email addresses. Choice Hotels, though, said that no financial information was exposed.

Earlier in 2019, an even bigger data breach made headlines. That's when a hacker gained access to more than 100 million accounts and credit card applications of Capital One customers.

The U.S. Department of Justice said that a hacker broke into a Capital One server and stole 140,000 Social Security numbers and 80,000 bank account numbers. The hacker also gained access to other personal information of Capital One customers.

If a hacker were to gain access to your email address without also gaining access to that address’ password, they likely can't do much damage. But if they do get your password, too, they can cause plenty of hurt with that combination of information.

They could, for instance, send scam emails to everyone on your contact list. These emails might include links for your contacts to click. When they do, the recipients might be taken to a phishing site through which hackers might try to steal their personal and financial information. These same hackers might send out emails, supposedly from you, asking recipients to send money. The money, of course, goes to the hackers, not to you.

Hackers could also use your email and password to reset other account passwords or gain access to your credit card information. They might even use your email and password to sign up for online sites and services, sticking you with the monthly fees in the process.

How can I tell if my email account has been compromised?

How do you know if your email account has been hacked? There are several signs, some more obvious than others.

First, if you try to log into your email account and you can't, that might be a sign that your account has been compromised. A fraudster might have changed your email password, meaning that when you try to log in, you can't. Changing your password is often one of the first steps cybercriminals take after taking control of your email account.

You can also check your “Sent” email box. If you see several emails in there that you didn't send, that’s a sign that someone has gained access to your email account and is using it to send potentially fraudulent messages to the people in your contact lists.

Your friends can provide clues, too. If you get messages from your friends or contacts asking why you’ve been sending them spam, that's likely an indication that a cybercriminal has gained access to your email account and is using it to send messages in your name.

You can also check your IP address log to determine if someone is sending messages from your email account from a different location. Your IP address is a type of digital address that shows where you are located when you log onto the internet. If you mostly log onto the internet from your home or work, a record of your IP addresses will show mostly the same numbers over and over again.

However, if you check a log of your IP addresses and you see several different IP addresses listed, it could be a sign that a fraudster is logging into your email account from different locations.

Some email service providers have tools that you can use to check your IP address. If you use Gmail, for instance, you can scroll to the bottom of the page and look for the word “Details” in the right corner. Click on this and you will see a log of IP addresses from which your account has been accessed.

Personal information and other sensitive data — what could be at risk?

Hackers can cause a lot of grief if they take over your email account. It’s no fun explaining to friends, family members, and co-workers that the message urging them to try the latest diet drug didn’t really come from you. It’s a hassle explaining to your relatives that, no, you’re not stranded in Aruba and you don’t need $500 wired to you immediately.

But fraudsters aren’t limited to sending spam messages and requests for money after they’ve broken into your email account. They can also cause serious financial damage.

What if some of your old email messages contain information about your bank account? Cyberthieves can use that information to access your accounts and withdraw funds. The same holds true if your past email messages contain credit card information. Hackers could then access your online credit card accounts and make unauthorized purchases in your name.

You might use the same password for your email at several other sites across the internet. The cybercriminals who’ve gained access to your email account might use this password to log into your financial sites and steal your money. Or they might use it to purchase items from online retailers, running up charges before you ever notice.

This is why it’s so important to monitor your email accounts for suspicious activity. And if you do find signs of a hack? You need to act quickly to stop the damage.

How to help defend your email account against a breach

You never know when a hacker might go after your email account. But you can take steps to help protect yourself. These steps aren’t guaranteed to keep a hacker at bay. But they can increase the odds that a cybercriminal won’t get into your email account.

First, never use the same password for your email account and the other important sites you visit. If someone gains access to your email password, you don't want that person to use this information to get into your bank, credit card, or healthcare accounts. Make sure to use unique passwords at each of these key sites.

And make your passwords difficult to crack. Include letters, capitalized letters, numbers, and symbols in your passwords. Never use your birthday, address, Social Security number, or anything that someone may be able to guess about you in your password.

Use common sense, too, when reading emails. You might see an email in your account that looks like it's from your bank. If that email asks you to send your username and password to verify your account, stop. This is almost certainly a scam.

Your bank or other financial institutions will never ask for your personal information through an email. Before sending this information, call your bank or financial institution at their published customer service number to verify whether it really requested this personal info.

Don't click on links in emails unless you absolutely know who sent the message to you and you're expecting this person to send you a link. Don't click even if you know the sender if you’re not expecting that link. These fraudulent links can often lead to spoofed websites that look like they’re run by a bank or credit card provider, but are actually created by fraudsters to scam you out of your personal information.

Turn on two-factor authentication. With this security measure, you must first log into a site with your username and password — such as your bank, mortgage lender or credit card provider — and then wait for a code, usually sent to your smartphone. You then enter that code to gain access to the site. This does add an extra step to logging into an account, but it also provides an extra layer of protection.

My email account has been compromised. What should I do?

What if you discover that your email account has been compromised? What if someone has been sending mass emails out in your name?

First, change the password on your email account. This should stop the flow of spam emails coming from your account. Also, consider contacting your email provider to advise that your account has been compromised, and to see what the provider can do to help ensure security. Next, change your credentials at your other online accounts that use your email address, too, especially at online banking and credit card sites.

Notify your contacts that your email account has been compromised. This might prevent them from opening fraudulent emails and clicking on links that they should ignore.

Make sure your computer and devices have protection from a strong, reputable security software. And make sure to enable automatic security updates on that software. The manufacturer should provide security updates to quickly to react to emerging viruses and malware. If you don’t allow these automatic updates and patches, you might be providing a weakness for cybercriminals to exploit.

Cyber threats have evolved, and so have we.

Norton 360™ with LifeLock™, all-in-one, comprehensive protection against viruses, malware, identity theft, online tracking and much, much more.

Try Norton 360 with Lifelock.


Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2019 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.