Email safety


  Decrease Text Size Increase Text Size

You might have been hacked if:

  • Friends and family are getting emails or messages you didn’t send.
  • Your Sent messages folder has messages you didn’t send, or it has been emptied.
  • Your social media accounts have posts you didn’t make.
  • You can’t log into your email, online shopping, social media account, or other types of online accounts.

What to do if email is hacked:

  • Update your system and delete any malware.  The first thing you should do if your account gets hacked is to run an end-to-end antivirus scan. This means skipping the "quick scan" setting in favor of a deep scan to identify and eliminate not only all forms of malware (including Trojans and spyware to keyloggers that could be tracking your keystrokes even after the hack has been identified) and potentially unwanted applications.  It's important to make sure you're clean before you change any of your other sensitive information to avoid restarting the cycle.  Also, set your security software, internet browser, and operating system to update automatically.  Click here for a list of free online security scanning software.
  • Review Social Media Accounts.  Look for changes your social networking sites, look for changes to the account since you last logged in.  Look at your personal details, review any third-party apps connected to your account, and check your security questions and answers and your backup email addresses and/or phone numbers. If you think your hacker had a chance to scan your security questions and backup accounts, try to change these on the compromised account and on any other account that relies on the same information. This will prevent the bad actor from using your personal details to breach other accounts in the future.
  • Change Your Passwords.  Once your computer is free of malware, it's time to change your password. If you've lost access to your account, you may need to contact the email provider directly, prove who you are and ask for a password reset. Choose a new password that is very different from your old one and make sure it doesn't contain strings of repeated characters or numbers. Your password should be unique for each account, complex (i.e., a mix of letters, numbers and special characters) and at least 15 characters long.  Learn more about passwords here.
  • Contact Other Online Services.  It's critical to change your passwords with other payment-based accounts such as Amazon, Netflix, LinkedIn, credit card companies, etc. Make sure you use different passwords for every online account.
  • Notify People You Know.  Tell your friends, family and anyone else on your email contact list that they might have gotten a malicious link. During the period when attackers had control of your account, they could have sent dozens or even hundreds of fraudulent emails to everyone you know, in turn giving them access to a new set of victims. 
  • Change Your Security Questions.  While your password was the most likely attack route, it's also possible that hackers broke into your account after answering your security questions. Many users choose the same answer to common security questions.  In order to further protect your email, be sure to employ the multi-factor authentication that many providers allow to gain access to your password, including using secondary email addresses or text messages, since security questions alone are not enough.
  • Report the Hack.  If you haven't already, contact your email provider and report the hack. This is important even if your hacked email didn't cause you to lose access since it helps providers track scam-based behavior. In addition, your email provider may be able to offer details about the origin or nature of the attack.
  • Contact Credit Agencies.  Contact the three credit reporting agencies TransUnion, Experian and Equifax to monitor your accounts in the months after you've been hacked.  Click here to contact credit report agencies.
  • Consider Your ID Protection Options.  If you've been hacked, another idea worth considering is an ID protection service. These services typically offer real-time email and online retail account monitoring, in addition to credit score reporting, and personal assistance in the event of an identity theft. Your financial institution will offer this program for a small monthly fee.
  • Review All Email Accounts.  If the breach affected a service that includes email, such as your Google account, check the email account for sent messages or for new filters. For example, clever hackers can set up filters that forward all incoming mail to an address you don't recognize. Delete such filters to prevent people from worming their way back into your account in the future. This is particularly important because you can reset many other accounts' passwords, and receive notifications about suspicious activity, over email. You don't want an eavesdropper to nab those recovery messages.  Also, check that your email signature and "away" message don’t contain unfamiliar links or forwards. 
  • Create a New Email Account.  Sometimes it's not worth picking up where you left off. If this isn't the first time hacked email has been a problem, or if your provider doesn't seem to be taking steps to mitigate the amount of spam you receive, it may be time for a switch. Look for a service that offers default encryption of your emails and solid customer service in the event of an issue.

Properly Managing Your Email 

  • Keep a minimum of three email accounts. Your first email account should be used for personal conversations, social media accounts, and contacts.
  • Your second email account should be your work account that is used exclusively for work-related conversations.  Don't risk your company's security by using a personal computer or other "non-work" email address at work.
  • Your third 'catch-all' account should be used to sign up for email newsletters, contests, etc.  You should plan on having to dump and change out this account every six months.
  • When you are checking your email at a public computer, you need to log out of your email and close the browser window completely. 
  • Delete browser cache, history and passwords.
  • Do not use un-secure email accounts to send and receive sensitive corporate information. 
  • Unless you need a written record of something or are communicating across the globe, consider whether a simple phone call rather than an email is a better option. Compared with accessing email through a public computer, a phone call is more secure option.

Emailing the Right People

  • Don’t use the Blind Carbon Copy (BCC) option.  
  • Don’t use the "Reply All" button.  
  • Be careful forwarding email.  Forwarding emails can create a significant security threat for yourself and the earlier recipients of the email. As an email is forwarded, the recipients of the mail (until that point in time) are automatically listed in the body of the email. As the chain keeps moving forward, more and more recipient ids are placed on the list. 

Avoiding Phishing Email

Phishing is a type of online fraud wherein the sender of the email tries to trick you into giving out personal information or clicking on a link as a method to try to steal your identity or your money.
  • Don’t send personal and financial information via email.  Financial institutions and online stores provide, almost without exception, a secured section on their website where you can input your personal and financial information. 
  • Avoid writing any company that requests that you send them private financial or personal information via email.
  • Be careful when unsubscribing to newsletters you never subscribed to.  If you don't specifically remember subscribing to a newsletter, you are better off just blacklisting the email address.
  • If you accidentally open a phishing email, do not reply or click on the link in the email. If you want to verify the message, manually type in the URL into your browser.

Signs of phishing include:

  • A logo that looks distorted or stretched.
  • Email that refers to you as "Dear Customer" or "Dear User" rather than including your actual name.
  • Email that warns you that an account of yours will be shut down.
  • An email threatening legal action.
  • Email which comes from an account similar, but different from, the one the company usually uses.
  • An email that claims 'Security Compromises' or 'Security Threats' and requires immediate action.
  • Review the signature.  Legitimate businesses always provide contact details.
  • The hyperlinked address is different from the address that is displayed.
  • The email asks you to make a donation.
  • You didn't initiate the action of the email subject.

Avoiding Email Malware

  • Don’t always trust an email from someone you know.  Malware and viruses can be circulated by people who have no idea they are sending it, because hackers are using their computer as a zombie. 
  • Blacklist spam instead of deleting it.  When you 'blacklist' an email sender, you tell your email client to assume that they are spam. 
  • Don’t disable the email spam filter.  
  • Scan all email attachments.  Many free email clients provide an email attachment scanner built-in. You can first forward your attachments to that account before opening them.


A brand-phishing email is designed to impersonate the official websites of prominent brands – such as those within the technology, banking, shipping, and retail industries. The purpose is to trick consumers into revealing sensitive personal account information.  The email will contain malicious code that will redirect to a fake website (scampage) that requires consumers to login to verify information. Links to these scampages are sent through emails, text messages, or via web and mobile applications and may spoof the identity or online address to resemble the genuine site. The scampages may then use login forms or malware to steal users’ credentials, payment details, or other personally identifiable information (PII).
  • Be suspicious of unsolicited contact via email or social media from any individual you do not know personally and/or containing messages enticing you to open a link or attached file.
  • When receiving account alerts, rather than clicking a link within an email or text, opt to navigate to the website using the secure URL to review any logs, messages, or notices.
  • Closely verify the spelling of web addresses, websites, and email addresses that look trustworthy but may be imitations of legitimate websites, to include the username and/or domain names/addresses (i.e., capital “I” vs small “L”, etc.).
  • Use strong unique passwords, and do not re-use the same password across multiple accounts.
  • Do not store important documents or information in your email account (e.g., digital currency private keys, documents with your social security number, or photocopies of a driver’s license).
  • Enable 2FA and/or multi-factor authentication (MFA) options to help secure online accounts, such as a phone number, software-based authenticator programs/apps, USB security key, or a separate email account (with a unique password that does not link to other consumer accounts) in order to receive authentication codes for account logins, password resets, or updates to sensitive account information.
  • When possible, do not use your primary email address for logins on Websites. Create a unique username not associated with your primary email address.

Keeping Hackers at Bay

  • Don’t share your account access information with others.  
  • Don’t use simple and easy-to-guess passwords.  
  • Encrypt your important emails.  
  • Encrypt your wireless connection.  
  • Use a digital signature whenever you sign an important email. 

Red flags you're about to get scammed

  • Links that are the only content in the body of an email.
  • or otherwise shortened links. 
  • Hyperlinked text.
  • Inordinate number of recipients.
  • Vague, generic or nonexistent subject lines.
  • Intense enthusiasm.
  • Grammar and spelling errors.
  • Strange requests.
  • Urgent message.
  • Sensitive information requests.
  • Surefire guarantees promise.

eFraud Prevention™, LLC