(Credit: Ian Moore/PCMag/Adobe Stock)
There's a good chance you've been using the same email address everywhere online. For example, the address you use for your bank account is likely the same one you use for your streaming accounts. That very same email address might also be on a resume you posted online—or it might have been posted on the dark web, along with other personal information hackers stole from a company’s servers. That’s a lot of points of exposure for one email address, and if a scammer decides to take it over, they can gain access to much of your life. I'm here to walk you through what to do if a scammer has your email—and how to keep it from happening again.
This article was made possible in part by Incogni. It was written and edited independently without partner oversight.
How to Recover Quickly After an Email Hack
Scammers don’t have to take over your email account to do harm. A search for your publicly posted email addresses can lead criminals to your old social media accounts, your profiles on data broker sites, and even breached account data on the dark web. Even worse, a crafty hacker can use AI tools to search for all public information associated with your email addresses, and use that data to open new accounts in your name, find your passwords on the dark web, or get into your financial or shopping accounts to commit fraud.
To help you get back your accounts after impersonation scams, I’ll describe two recovery scenarios, and you can pick and choose the steps you want to take based on your specific situation.
Scenario 1: Your Email Account Has Been Hijacked
Timing is crucial in this scenario, so act quickly. If you suspect a stranger is in your inbox, change your password if you can still log into the account. If the attacker changed your password, use the email provider’s official account recovery page to verify your identity and regain control of your account.
Once you have control of the account again, enable multi-factor authentication (MFA) and ensure you aren’t using the same password for other online accounts. A password manager will make this step very easy; most can generate MFA tokens for your accounts, and all of them can generate long, strong, and unique passwords, and even fill them in on websites so you don’t have to.
You can also use the built-in password manager on your phone for this step, but if you’re looking to truly decentralize your online accounts, start by choosing a password manager that allows you to store your credentials locally, instead of on the company’s servers in the cloud. Even if you only store your financial account passwords on your computer or another device, you’re still keeping some of your data offline and away from possible large-scale cloud server attacks.
For more suggestions, read our guide to getting your online life back after being hacked. The article includes instructions for strengthening your email security, notifying other people, and dealing with any financial fallout.
Scenario 2: Someone Is Using Your Email Address to Impersonate You
If your email account is secure, but someone has created a profile or account on another platform and is impersonating you using your name or photos, I don’t recommend engaging the scammer. Instead, use the platform’s official communication channels (usually email or a contact form) to report the account for impersonation.
You’ll have a better case if you provide screenshots and links to the impersonation attempts to back up your claims, so make sure to gather that evidence. If you have a different social media account, let your friends and followers know about the impersonation attempts, and warn them to be wary of messages or links sent from unofficial accounts attributed to you.
If the impersonation attempts also involve financial fraud or anything that falls under the “legal liability” umbrella, remember to report the incidents. To do this, head over to IdentityTheft.gov or IC3.gov to get advice from the FTC and FBI, respectively.
Obscure Your Digital Footprint to Protect Your Identity
Once your data makes it to the dark web, you’re not clawing it back. It’s in the hands of scammers now. Your best bet is to minimize damage by changing how you create and maintain your online accounts. One tried-and-true method is to lie to the internet about who you are and what you’re doing.
Obscure your digital footprint by using fake information on web forms and creating fake email addresses to open new accounts. I had to do all of this after a massive data breach exposed my old email address on the dark web several years ago. In the years since that incident, I closed the account and took a few other measures to lock down and scatter my online presence.
Clean Up Your Old Data Online
A lot of your old email addresses, phone numbers, and other personal information are still online because data brokers sell them on platforms like Whitepages or criminal record lookup sites. You can pay for a personal data removal service that will send requests to data brokers on your behalf. A good service, like the ones listed below, will scan hundreds of websites to find your information, manage the opt-out process on your behalf, and monitor for any instances where data brokers resurface your details.
You can also choose to take the time to make the requests yourself. If you do, you may want to block out a few hours over a few weekends to get the job done, because the process can be tedious. I also recommend consulting the excellent data removal workbook from IntelTechniques for a comprehensive list of data broker websites and instructions on submitting your data removal request for each platform.
In my experience, it’s worth trying the big data broker platforms like Whitepages first. Since eliminating that significant source of public data, I’ve received far fewer spam calls and zero scammy texts.
Remember to give away as little information about yourself as possible when requesting data removal. When I asked WhitePages to remove my profile several weeks ago, I only gave up a Google Voice number, no other information.
(Credit: Whitepages/PCMag)Keep Your Primary Email Private
If your work or hobbies require you to maintain a public-facing communication channel, I recommend creating an email address to use on your resume and when interacting with clients and coworkers. Keep that address separate from the email you use for interacting with close friends and family, and don’t use it to sign up for financial accounts or social media platforms. Assume that someone will try to get into that inbox, and don’t leave any crumbs of important data for them to find and connect to your private accounts.
Use Email Aliases to Stay Anonymous
It’s incredibly easy to create new, unique email addresses for every online account if you use an email alias generator. These services will give you a fake email address to use when logging into your accounts, and you can forward emails to your real account. If you use Apple devices, visit the iCloud settings menu on your device to sign up for Hide My Email and start generating fake email addresses.
(Credit: Proton/PCMag)Your password manager may be able to create fake email addresses for you, too. For example, Proton Pass (as shown above) will generate email aliases and inboxes so you can protect your real email address. Bitwarden and NordPass offer similar settings, but you’ll need to sign up for a third-party service like SimpleLogin first.
Close or Secure Old Email Accounts
If you took full advantage of free email address providers throughout the 2010s, there are a bunch of addresses associated with you that have been abandoned for years. These addresses are like catnip to scammers, since the accounts are usually secured with short, easy-to-guess, or breached passwords, without a lick of MFA in sight. A scammer may be able to get into the account with little effort and use your old email data to open new accounts using your photos and personal information.
With that scenario in mind, it’s a good idea to delete your old email accounts. If you’re sad about losing the sentimental value of the old addresses, download all of your data to your computer or another storage device. You’ll access those memories faster, without logging in, and you’ll keep them out of internet criminals’ hands.
Still hesitant to delete your accounts? That’s OK! I believe that the most effective cybersecurity habits are ones you’ve customized to fit your lifestyle. You don’t have to close all of your old inboxes to live a more private online life. If you’re ready to switch email providers, check out our list of recommendations.
At the very least, I suggest deleting your old photos, videos, chats, and messages in these inactive email accounts. Most email providers allow users to create downloadable backups of their data or important conversations within the settings menu.
Lock Down Your Digital Life Beyond Your Inbox
When you’re ready to obfuscate the rest of your online identity, check out our guide to completely disappearing on the internet. If that sounds like a bit too much privacy right now, shore up your family’s defenses online with our cybersecurity checklist.