How do email accounts get compromised?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Your email account is the crown jewel for attackers. Compromise it, and they've got access to your customer lists, message content, authentication tokens, and the power to send emails from your domain. If you're running a company or sending email at scale, a compromised account isn't a minor security issue. It tanks your sender reputation, gets your domain blocklisted, and can destroy customer trust in hours.

Here's how it actually happens.

Phishing is the most common path. An attacker sends you a fake login page (looks like Gmail, Outlook, whatever) and you enter your credentials. They've got your password. Spear phishing is even more dangerous: it's personalized to you, references your company or recent news, and hits a psychological weak spot. A generic phishing email might fool 5 percent of people. A well-crafted spear phishing email can fool 30-40 percent.

Password attacks come next. If you reused a password from a breached service (and many people do), attackers can try that password against your email account. That's called credential stuffing. They buy leaked passwords from dark web databases and test them automatically across thousands of accounts. Password spraying is the opposite: they pick one common password ("Password123") and try it against thousands of accounts. Brute force is oldest school: just guess randomly until something works (slow, but it happens).

Malware is quieter but equally nasty. A keylogger hidden in software captures your password as you type. An info-stealer grabs your saved passwords from your browser. Once installed, malware runs silently in the background, sending attackers everything they need.

Other vectors exist but are rarer. Session hijacking steals your active session token so they can log in while you're already logged in. OAuth token theft (if you've authorized third-party apps) gives attackers access without needing your password. SIM swapping, where someone convinces your phone carrier they're you, hijacks your phone number and resets your password via "forgot password" flows.

The scary part: once they're in, they sit quietly for days or weeks, siphoning data and setting up forwarding rules so they see everything you see. Then they start sending campaigns. By the time you notice, your domain's on every blocklist. Learn what phishing emails look like so you can spot them. Next step: check if your sending account uses a strong, unique password and enable two-factor authentication immediately.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Protect your sending account from compromise.

If our sending account gets compromised, what exactly happens to our sender reputation and domain blocklisting? And which of these attack methods is most likely to hit a company our size?

Edit the yellow boxes, then send to the AI of your choice.