How can I prevent account compromise (e.g., MFA)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Imagine someone on your team clicks a convincing phishing link, hands over their password, and your sending account is wide open before anyone notices. It happens more often than you'd think. The good news is that a few layered protections make this kind of account takeover dramatically harder to pull off.

Here's a practical order of operations.

Step 1: Turn on MFA everywhere, today

Multi-factor authentication (MFA) is the single highest-impact thing you can do. A stolen password alone isn't enough to get in if there's a second factor required. Enable MFA on your ESP account, your domain registrar, your DNS host, and any email admin panel your team touches.

Which MFA method should you pick? Authenticator apps (like Google Authenticator or Authy) are stronger than SMS codes because SMS can be intercepted via SIM-swapping. Hardware security keys (like a YubiKey) are stronger still, though they add friction. For most email teams, an authenticator app is the right balance. SMS MFA is better than nothing, but don't stop there if you can help it.

Step 2: Get everyone on a password manager

Unique, complex passwords for every account aren't realistic without a tool to store them. Password managers like 1Password or Bitwarden handle that completely. Your team doesn't need to remember any password except the one master login.

If someone genuinely can't use a password manager (device restrictions, access policies), the fallback is a passphrase: four or five random unrelated words strung together. It's long enough to resist brute-force attacks and memorable enough to not get written on a sticky note. That said, push for the manager first.

Never reuse passwords across accounts. One compromised address (say, from an old data breach) can cascade through every service if the password matches.

Step 3: Reduce who has access at all

Fewer people with sending account credentials means a smaller attack surface. Audit who actually needs admin-level access vs. who just needs to pull reports. Most ESPs have role-based permissions for exactly this reason. Use them.

But when a team member leaves, revoke access the same day. Not the same week.

Step 4: Teach the team to spot phishing

Technical controls help a lot, but most account compromises still start with someone clicking something they shouldn't. A quick regular reminder about what phishing looks like (mismatched URLs, urgent "verify your account" emails, login pages that look slightly off) goes a long way. You don't need a formal training program. A monthly team message works fine.

So it also helps to create a simple habit: if someone gets a suspicious login prompt or email, they report it rather than ignore it. Catching one real attempt early can prevent a much bigger problem later.

If you're already doing all of this and something still feels off, check out the signs of a compromised sending account so you know what to watch for. And if things are actively broken right now, our SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a prioritized lockdown plan for your team

I want to lock down our email sending accounts against compromise. Based on our setup, help me prioritize the right steps. Tell me about your situation: 1. What email platform or ESP does your team use to send? (e.g., Mailchimp, HubSpot, custom SMTP) 2. How large is your team? (solo, 2-10, 10+) 3. Do you currently have MFA enabled on your sending accounts? (yes / no / not sure) 4. Does your team use a password manager today? (yes / no / some do) 5. Have you had any suspicious login attempts or account issues recently? Based on your answers, I'll give you a ranked action list with the highest-impact fixes first.

Edit the yellow boxes, then send to the AI of your choice.